Foundation and Supplemental Topics
General Routing Principles
Although your PIX Firewall is not a router, it does need to provide certain routing and switching functionality.Whenever your PIX Firewall processes valid traffic, it must determine which interface provides the correct path for the destination network.It may also have to tag the traffic for the appropriate VLAN.Not only can your PIX Firewall route valid traffic, you can also configure it to forward multicast traffic.Sending multicast traffic to a multicast broadcast address enables multiple systems to receive a data stream that otherwise would have to be sent to each individual system.This chapter focuses on the following three features that enable your PIX Firewall to effectively route and switch traffic:- Ethernet VLAN tagging
- IP routing
- Multicast routing
Ethernet VLAN Tagging
To pass traffic between the different virtual LANs (VLANs) on your switched network, Ethernet packets can be tagged with a VLAN identifier that indicates the VLAN to which the traffic belongs.Ethernet tagging enables you to pass traffic for different VLANs across the same Layer 2 interface.The following sections explain how to use Ethernet VLAN tagging with your PIX Firewall.Understanding VLANs
At the Ethernet layer, you can partition your network using VLANs.These VLANs limit the scope of broadcast traffic on your network because each VLAN represents an individual broadcast domain.By dividing your switched network using VLANs, you improve the security of your network by limiting the scope of broadcast traffic that is vital for the operation of your network, such as Address Resolution Protocol (ARP) traffic and Dynamic Host Configuration Protocol (DHCP) traffic.Understanding Trunk Ports
Usually, you configure a switch as a member of a specific VLAN.This automatically associates all of the regular Ethernet traffic received on that port with that VLAN.Sometimes, however, you may want a single port to receive traffic from multiple VLANs.A switch port that accepts traffic from multiple VLANs is known as a trunk port.To differentiate between the different VLANs, each packet is tagged with a specific VLAN identifier.This identifier informs the switch to which VLAN the traffic needs to be forwarded.By using trunk lines on your switch, your PIX Firewall can send and receive traffic from multiple VLANs using only a single physical interface.Understanding Logical Interfaces
Your PIX Firewall has a limited number of physical interfaces.This limits the number of Layer 3 networks to which the PIX Firewall can be directly connected.If you use VLANs to segment your network into smaller broadcast domains, each of these VLANs represents a different Layer 3 network.By using logical interfaces, you can accommodate multiple VLANs by using trunk lines on your switch ports and configuring multiple logical interfaces on a single physical interface on your PIX Firewall.Logical interfaces overcome the physical interface limitation by enabling a single physical interface to handle multiple logical interfaces.Table 9-2 shows the maximum number of interfaces allowed using a restricted license, while Table 9-3 shows the maximum number of interfaces allowed for an unrestricted license.Table 9-2.Maximum Interfaces for Restricted License | Cisco Secure PIX Model | Total Interfaces | Physical Interfaces | Logical Interfaces |
|---|
| 515E | 5 | 3 | 5 | | 525 | 8 | 6 | 6 | | 535 | 10 | 8 | 8 |
Table 9-3.Maximum Interfaces for Unrestricted License | Cisco Secure PIX Model | Total Interfaces | Physical Interfaces | Logical Interfaces |
|---|
| 501 | 2 | 2 | Not supported | | 506E | 2 | 2 | Not supported | | 515E | 10 | 6 | 8 | | 525 | 12 | 8 | 10 | | 535 | 24 | 10 | 22 |
NoteVLANs are not supported on the PIX 501 and PIX 506/506E.NoteThe maximum number of logical interfaces that you can use is equal to the total number of interfaces available minus the total number of physical interfaces that you currently have configured on your PIX Firewall.Unique VLAN tags differentiate the traffic to each logical interface.Currently, the PIX Firewall supports configuring multiple 802.1Q VLANs on a physical port and the ability to send and receive 802.1Q tagged packets.The PIX Firewall does not perform any trunk negotiations or participate in bridging protocols.To create a logical interface on the PIX Firewall, you use the interface command, the syntax for which is as follows:
interface hardware-id vlan-id [ physical | logical ] [ shutdown ]
The parameters for the interface command are shown in Table 9-4.Table 9-4.interface Command Parameters | Parameter | Description |
|---|
| hardware-id | Specifies the network interface on which the command will be applied (such as Ethernet0) | | vlan-id | The VLAN identifier to be associated with either the logical or physical interface | | physical | Keyword indicating that the command applies to the physical actual interface | | logical | Keyword indicating that the command applies to a logical interface instead of the physical interface | | shutdown | Keyword indicating that the interface should be administratively shut down |
Suppose that interface Ethernet0 on your PIX Firewall is connected to VLAN 30 and that you want to configure three logical interfaces on that same physical interface for VLAN 40 through VLAN 42.The commands to accomplish this are as follows:
pix515a(config)# interface Ethernet0 vlan30 physical
pix515a(config)# interface Ethernet0 vlan40 logical
pix515a(config)# interface Ethernet0 vlan41 logical
pix515a(config)# interface Ethernet0 vlan42 logical
NoteThe VLAN assigned to the physical interface represents the native VLAN.You do not need to assign a VLAN to the physical interface to assign logical interfaces to an interface.Managing VLANs
After you create your logical interfaces, you also need to assign the following parameters to each logical interface:- Interface name
- Security level
- IP address
Using the nameif interface command, you can assign an interface name and a security level to a logical interface.The syntax for the nameif command is as follows:
nameif { hardware-id | vlan-id } interface-name security-level
Table 9-5 shows the parameters for the nameif command.Table 9-5.nameif Command Parameters | Parameter | Description |
|---|
| hardware-id | Specifies the network interface on which the command will be applied (such as Ethernet0) | | vlan-id | The VLAN identifier associated with the logical interface | | interface-name | The name to be assigned to the specified interface | | security-level | The security level for the specified interface in the range from 0100, with 0being the outside interface and 100 being the inside interface |
Finally, you need to complete your logical interface configuration by assigning an IP address to the logical interface.To assign an IP address to an interface, you use the ip address command.The syntax for this command is as follows:
ip address interface-name ip-address
NoteThe interface-name corresponds to the name that you assigned with the nameif command.
IP Routing
At the IP layer, your PIX Firewall routes traffic based on the IP addresses in the network traffic.It does not provide all the functionality of a router, but it does enableyou to define the following two types of routes:- Static routes
- Dynamic routes
Static Routes
Static routes are manually configured routes that do not frequently change.They essentially direct your PIX Firewall to send traffic destined for a specific network to a specific router that has connectivity to the destination network.Static routes are perhaps best explained by using a network example.Figure 9-1 illustrates a simple network configuration with hosts on both the 10.10.10.0 and 10.10.20.0 networks.
Figure 9-1.Static Routes
 When you configure the inside interface on the PIX Firewall with a Class C address of 10.10.10.1, the PIX Firewall automatically creates a route that enables it to send traffic for the 10.10.10.0 network to the inside interface (identified by the keyword CONNECT when viewing the routes).The PIX Firewall may also receive traffic for the host whose IP address is 10.10.20.10.By default, if the PIX Firewall receives traffic for 10.10.20.10, it will not know where to send it.To enable the PIX Firewall to know where to send traffic for 10.10.20.10, you can configure a static route using the route command.The syntax for the route command is as follows:
route interface-name destination-ip netmask gateway [ metric ]
The parameters for the route command are explained in Table 9-6.Using the network in Figure 9-1, you can define a static route for the 10.10.20.0 network using the following command:
pix515a(config)# route inside 10.10.20.0 255.255.255.0 10.10.10.2 1
Table 9-6.route Command Parameters | Parameter | Description |
|---|
| interface-name | The name of the interface on the PIX Firewall through which the traffic will travel to reach the destination network (the name assigned in the nameif command). | | destination-ip | The destination IP address(es) of the traffic to which the route pertains. | | netmask | The network mask of the route, which indicates the number of addresses covered by the route (for example, a Class C network pertains to 256 different addresses and is specified as 255.255.255.0). | | gateway | The IP address of the gateway to which the routed traffic will be sent. | | metric | The cost of the route.Normally, this indicates the number of hops to the destination network.When routing, this value is used to choose the best route when multiple routes exist. |
Default Route
Configuring multiple routes can be a time-consuming task, especially for the traffic bound for the Internet.Therefore, you can create a special route known as a default route.This route is automatically used for any traffic that does not match any other routes on the system.When configuring the default route, you use a destination IP address of 0.0.0.0 and a netmask of 0.0.0.0. |
Instead of using the address of a gateway router when you are configuring a static route, you can specify the IP address of one of the PIX Firewall''s own interfaces.When you create a route in this manner, the PIX Firewall does not have a destination IP address to which to send the traffic.Therefore, the PIX Firewall broadcasts an ARP request on the specified interface to determine the address to which to send the traffic.Any router that has a route to the destination address can generate a proxy ARP (using its own interface''s Ethernet address), enabling the PIX Firewall to update its ARP cache with an entry for the IP address of the traffic.The PIX Firewall uses this proxy ARP to then send the traffic to the router that has a route to the destination IP address.NoteAlthough you can configure the PIX Firewall to generate an ARP request to determine the destination address to which to send traffic, this configuration is not recommended.ARP is an unauthenticated protocol and this configuration can pose a security risk.Static routes are stored in your PIX Firewall configuration and restored when your PIX Firewall is reloaded.To view the routes on your PIX Firewall, you use the show route command.This command displays all the routes in the PIX Firewall''s routing table, such as shown in Example 9-1.Example 9-1.Output of the show route Command
pix515a# show route
intf5 0.0.0.0 0.0.0.0 10.89.141.1 1 OTHER static
inside 10.10.10.0 255.255.255.0 10.10.10.1 1 CONNECT static
inside 10.10.20.0 255.255.255.0 10.10.10.2 2 OTHER static
intf5 10.89.141.0 255.255.255.0 10.89.141.80 1 CONNECT static
intf4 172.16.1.0 255.255.255.0 172.16.1.1 1 CONNECT static
outside 192.168.10.0 255.255.255.0 192.168.10.80 1 CONNECT static
pix515a#
The static routes with the keyword CONNECT indicate routes that are automatically created when you define the IP address for an interface.The routes with the OTHER keyword indicate static routes that have been manually entered.Sometimes you may want to remove the static routes that you have already configured.You can do this using the clear route command.NoteYou can also remove individual routes by placing the no keyword in front of the original command used to create the static route.Dynamic Routes
Besides creating static routes manually, the PIX Firewall also supports some dynamic routing functionality.Dynamic routes are created based on routing protocols that automatically add entries into the PIX Firewall''s routing table.The PIX Firewall supports the following two different routing protocols, but only one can be active on a single PIX Firewall:- Routing Information Protocol (RIP)
- Open Shortest Path First (OSPF)
The PIX Firewall can learn new routes based on the RIP routing broadcasts, but the PIX Firewall does not have the functionality to propagate these learned routes to other devices.With OSPF, the PIX Firewall learns new routes, and it can also propagate that information to other devices.NoteAuthentication should be used with all routing protocols whenever possible.Route redistribution between OSPF and other protocols (such as RIP) is a prime target for attackers.By subverting the routing information, an attacker can potentially bypass your defined security configuration.Configuring RIP
To enable the PIX Firewall to learn new routes based on RIP routing updates, you use the rip command.The syntax for the rip command is as follows:
rip if-name default | passive [ version { 1 | 2 }] [ authentication { text | md5 } key key id ]
Table 9-7 describes the various parameters for the rip command.Table 9-7.rip Command Parameters | Parameter | Description |
|---|
| if-name | The name of the interface to which the rip configuration will apply (the name assigned in the nameif command). | | default | Keyword indicating that you want to broadcast the address of the specified interface as a default route. | | passive | Enables passive RIP on the interface.The PIX Firewall listens for RIP routing updates and uses the information received to populate its routing table. | | version | Keyword used to specify the version of RIP to use.This keyword must be followed by either 1 or 2 , to indicate the RIP version to use. | | authentication | Keyword to enable RIP version 2 authentication. | | text | Keyword indicating that RIP updates should be sent in the clear. | | md5 | Keyword indicating that RIP updates should use MD5 authentication. | | key | The key to encrypt routing updates.This key is a text string of up to 16 characters. | | key_id | The key identification value in the range between 1 and 255.The same key_ID must be used on all of your RIP-enabled devices that communicate with one another. |
By configuring RIP on a specific PIX Firewall interface, your firewall watches for RIP routing updates.It then uses this information to update its routing table.The information cannot be distributed by the PIX Firewall to other devices.The PIX Firewall can, however, broadcast the address of one of its interfaces as a default route.To turn off RIP on a specific interface, you use the no keyword in front of the original RIP configuration command.You can also remove all the RIP configuration commands from your configuration by using the clear rip command.Suppose that you want to enable RIP on the outside interface by using MD5 authentication, using MYKEY as the key and a key_id of 2.The command to accomplish this is as follows:
Pix515a(config)# rip outside passive version 2 authentication md5 MYKEY 2
NoteBecause authentication is supported only with RIP version 2, you must specify version 2 in the command.The default is RIP version 1.OSPF Overview
Route propagation and greatly reduced route convergence times are two of the many benefits that occur by using OSPF.OSPF is widely deployed in large internetworks because of its efficient use of network bandwidth and its rapid convergence after changes in topology.The PIX Firewall implementation supports intra-area, interarea, and external routes.The distribution of static routes to OSPF processes and route redistribution between OSPF processes are also included.NoteThe PIX 501 does not support OSPF functionality.An OSPF router that has interfaces in multiple areas is called an Area Border Router (ABR).A router that redistributes traffic or imports external routes (Type 1 or Type 2) between routing domains is called an Autonomous System Boundary Router (ASBR).An ABR uses link-state advertisements (LSAs) to send information about available routes to other OSPF routers.Using ABR Type 3 LSA filtering, you can have separate private and public areas, with the PIX Firewall acting as an ABR.Type 3 LSAs (interarea routes) can be filtered from one area to another.This lets you use NAT and OSPF together without advertising private networks.The PIX Firewall OSPF supported features are as follows:- Support for intra-area, interarea, and external routes
- Support for virtual links
- Authentication for OSPF packets
- The capability to configure the PIX Firewall as a designated router, ABR, and limited ASBR
- ABR Type 3 LSA filtering
- Route redistribution
NoteYour PIX Firewall can filter only Type 3 LSAs.If you configure your PIX Firewall to function as an ASBR in a private network, then information about your private networks will be sent to the public interfaces, because Type 5 LSAs describing private networks will be flooded to the entire autonomous system (including the public areas) unless you configure two separate OSPF processes.OSPF Commands
To configure OSPF on your PIX Firewall, you use various commands.To enable OSPF on your PIX Firewall, you use the router ospf command.The syntax is as follows:
router ospf pid
The pid represents a unique identification for the OSPF routing process in the range from 1 to 65535.Each OSPF routing process on a single PIX Firewall must be unique, and PIX Firewall Version 6.3 supports a maximum of two different OSPF routing processes.After you issue the router ospf command, the PIX command prompt enters a subcommand mode indicated by a command prompt similar to the following:
pix515a(config-router)#
In subcommand mode, you can configure various OSPF parameters (see Table 9-8).Table 9-8.router ospf Subcommand Options | Parameter | Description |
|---|
| area | Configures OSPF areas | | compatible | Runs OSPF in RFC 1583 compatible mode | | default-information | Distributes a default route | | distance | Configures administrative distances for OSPF process | | ignore | Suppresses syslog for receipt of Type 6 (MOSPF) LSAs | | log-adj-changes | Logs OSPF adjacency changes | | network | Adds/removes interfaces to/from OSPF routing process | | redistribute | Configures route redistribution between OSPF processes | | router-id | Configures router ID for an OSPF process | | summary-address | Configures summary address for OSPF redistribution | | timers | Configures timers for an OSPF process |
Using the network command, you can define which interfaces will be running OSPF.Using the network command also enables you to add networks to or remove networks from the OSPF routing process and define OSPF area information for each network.The syntax for the network command is as follows:
network prefix-ip-address netmask area area-id
The parameters for the network command are shown in Table 9-9.Table 9-9.network Command Parameters | Parameter | Description |
|---|
| prefix-ip-address | IP address of the network being configured. | | netmask | The network mask, which indicates the number of addresses covered by the area (for example, a Class C network pertains to 256 different addresses and is specified as 255.255.255.0). | | area | Keyword indicating that the area information will follow. | | area-id | The ID of the area to be associated with this OSPF address range. |
OSPF advertises routes to networks.To prevent information about your private network from being advertised, you need to filter LSAs.The prefix-list and area commands enable you to filter Type 3 LSA advertisements.This filtering is based on the prefix list defined by the prefix-list command.Once configured, only the specified prefixes are sent from one area to another, and all other prefixes are restricted to their OSPF area.The syntax for the prefix-list command is as follows:
prefix-list list-name [ seq seq-number ] { permit|deny prefix/len}
NoteUnlike the other OSPF configuration commands, the prefix-list command is executed from normal configuration mode instead of the OSPF subcommand mode.Table 9-10 shows the parameters for the prefix-list command.Table 9-10.prefix-list Command Parameters | Parameter | Description |
|---|
| list-name | The name of the prefix list. | | seq | Keyword indicating that you want to provide a sequence number. | | seq-number | Specifies the sequence number for the prefix list entry in the range from 1 to 4294967295. | | permit | Keyword indicating that the specified prefix list should be allowed. | | deny | Keyword indicating that the specified prefix list should be disallowed. | | prefix | Prefix address that is being identified. | | len | A network mask indicator that identifies the number of valid bits in the prefix (for instance to specify a Class C address, the len value is 24). |
After configuring a prefix list, you apply that prefix list to an area by using the area command.Filtering can be applied to traffic going into or coming out of an OSPF area or to both the incoming and outgoing traffic for an area.The syntax for the area command is as follows:
area area-id filter-list prefix { prefix-list-name in | out }
The parameters for the area command are shown in Table 9-11.Table 9-11.area Command Parameters | Parameter | Description |
|---|
| area-id | The identifier of the area on which filtering is being configured | | filter-list | Keyword indicating that you are configuring LSA filtering | | prefix | Keyword indicating that you are specifying a configured prefix list to use for filtering | | prefix-list-name | The name of the prefix list that you created using the prefix-list command | | in | Keyword that applies the configured prefix to prefixes advertised inbound to the specified area | | out | Keyword that applies the configured prefix to prefixes advertised outbound from the specified area |
Running two separate OSPF processes on your PIX Firewall enables you to perform address filtering when your PIX Firewall is configured as an ASBR.LSA Type 5 advertisements pass between areas on the same OSPF process (and cannot be filtered like LSA Type 3 advertisements), but they do not pass between separate OSPF processes.Using two OSPF processes can be advantageous in various situations, such as the following:- NAT is being used
- OSPF is operating on the public and private interfaces
- LSA Type 5 advertisement filtering is required
Autonomous System Boundary Router
An ASBR is located on the edge of your OSPF autonomous system and is responsible for advertising external routes for the entire OSPF autonomous system. |
When using two OSPF processes, one process is usually configured for the external interface while the other process handles the private interfaces.Each OSPF process is configured by using a separate router ospf command with a different process identification (PID) number for each process.In some situations, it may be advantageous to distribute route advertisements between separate OSPF processes, such as to enable routes received on the public interface to pass to the OSPF process running on the private interfaces.To redistribute routes between different OSPF processes or domains, you use the redistribute ospf subcommand, the syntax for which is as follows:
redistribute ospf pid
Because the redistribute ospf command is executed from the OSPF subcommand mode, pid identifies the OSPF process identification (PID) whose LSA Type 3 advertisements you want forwarded to the current OSPF process.Configuring OSPF
Figure 9-2 shows a typical OSPF deployment configuration.In this configuration the PIX Firewall is operating as an ABR.Because you do not want the information about private networks sent out on the public interface, LSA filtering is applied to the Internet interface.NAT is applied only to the inside interface (for the private networks).
Figure 9-2.PIX OSPF Network
 In this configuration, the inside interface learns routes from both the DMZ and the outside interface, but you do not want private routes to be propagated to either the DMZ or the public interfaces.Configuring OSPF on your PIX Firewall requires you to perform the following steps:
| Step 1. | Enable OSPF. | | Step 2. | Define the PIX Firewall interfaces that need to run OSPF. | | Step 3. | Define OSPF areas. | | Step 4. | Configure LSA filtering to protect private addresses. |
Using the configuration shown in Figure 9-2, the following commands configure OSPF based on the scenario described:
pix515a(config)# router ospf 1
pix515a(config-router)# area 0 filter-list prefix ten in
pix515a(config-router)# network 192.168.0.0 255.255.0.0 area 0
pix515a(config-router)# network 172.16.1.0 255.255.255.0 area 172.16.1.0
pix515a(config-router)# network 10.10.10.0 255.255.255.0 area 10.10.10.0
pix515a(config-router)# prefix-list ten deny 10.10.10.0/24
pix515a(config)#
pix515a(config)# router ospf 1
pix515a(config-router)# prefix-list ten permit 172.16.1.0/24
pix515a(config)#
NoteIf you configure your PIX Firewall as an ASBR, then you need to configure multiple OSPF processes on the firewall if you want to perform address filtering.When configuring OSPF, you should also enable one of the following authentication mechanisms:- Password
- MD5 (message digest algorithm 5)
You enable authentication for each area individually by using the following command:
area area-id authentication [ message-digest ]
Next, you need to define the authentication to be used for communication with the specific routers with which each area will be communicating.You do so by defining a virtual-link using the area command.Continuing with the example shown in Figure 9-2, to enable MD5 authentication with a key ID of 4 and a key of Ab1&05K! for area 172.16.1.0 when communicating with router 172.16.1.250, you would use the following commands:
pix515a(config)# router ospf 1
pix515a(config-router)# area 172.16.1.0 authentication message-digest
pix515a(config-router)# area 172.16.1.0 virtual-link
172.16.1.250 authentication message-digest
message-digest-key 4 md5 Ab1&05K!
NoteTo enable password authentication (using a password of R5!s4&Px* ) for the same router (instead of using MD5), you would use the following commands:
pix515a(config)# router ospf 1
pix515a(config-router)# area 172.16.1.0 authentication
pix515a(config-router)# area 172.16.1.0 virtual-link
172.16.1.250 authentication authentication-key
R5!s4&Px*
Viewing the OSPF Configuration
After setting up OSPF on your PIX Firewall, it is helpful to be able to view the configuration.Using the show ospf command, you can view your entire OSPF configuration.When you enter this command, you see output similar to Example 9-2, depending on the OSPF features that you have configured.Example 9-2.Output from the show ospf Command
pix515a# show ospf
Routing Process "ospf 1" with ID 192.168.10.80 and Domain ID 0.0.0.1
Supports only single TOS(TOS0) routes
Supports opaque LSA
It is an area border router
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs.Minimum LSA arrival 1 secs
Number of external LSA 0.Checksum Sum 0x 0
Number of opaque AS LSA 0.Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3.3 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 4 times
Area ranges are
Area-filter ten in
Number of LSA 2.Checksum Sum 0x 35a8
Number of opaque link LSA 0.Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 10.10.10.0
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 4 times
Area ranges are
Number of LSA 3.Checksum Sum 0x ec7b
Number of opaque link LSA 0.Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Area 172.16.1.0
Number of interfaces in this area is 1
Area has message digest authentication
SPF algorithm executed 6 times
Area ranges are
Number of LSA 2.Checksum Sum 0x 104d9
Number of opaque link LSA 0.Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
pix515a(config)#
Multicast Routing
IP multicasting is a mechanism that conserves network bandwidth by delivering a stream of information simultaneously to multiple recipients.Some common applications that take advantage of IP multicasting include the following:- Video conferencing
- Distance learning
- News feeds
IP multicasting actually involves sending an IP packet to a single multicast IP address.Routers send Internet Group Management Protocol (IGMP) query messages to locate hosts that belong to any multicast groups (wishing to receive specific multicast traffic).Any host that wishes to receive multicast traffic must join the multicast group by using an IGMP report message that indicates all the multicast groups to which it belongs.When a host no longer wishes to receive a multicast data stream, it sends an IGMP Leave message to the multicast router.You can configure your PIX Firewall to act as a Stub Multicast Router (SMR) because it forwards requests only between end hosts and multicast routers.Instead of supporting the functionality of a fully operational multicast router, the PIX Firewall functions only as an IGMP proxy agent.To illustrate the configuration tasks associated with configuring your PIX Firewall as an SMR, you need to understand the following topics:- Multicast commands
- Inbound multicast traffic
- Outbound multicast traffic
- Debugging multicast
Multicast Commands
Configuring multicast functionality on your PIX Firewall requires you to understand various multicast configuration commands.The major multicast configuration commands are as follows:- multicast interface
- mroute command
- igmp forward
- igmp join-group
- igmp access-group
- igmp version
- igmp query-interval
- igmp query-max-response-time
multicast interface Command
The multicast interface command identifies the interface that will pass multicast traffic.It also enables the multicast subcommand mode in which the other multicast commands must be entered.The syntax for this command is
multicast interface interface-name [ max-groups number ]
The parameters for this command are shown in Table 9-12.Table 9-12.multicast interface Command Parameters | Parameter | Description |
|---|
| interface-name | The name of the interface that will be configured for passing multicast traffic and to which other multicast commands will be applied | | max-groups | Keyword indicating that you want to limit the number of multicast groups allowed on the interface | | number | A numeric value (12000) indicating the maximum number of groups allowed on the interface (default value is 500) |
mroute Command
To configure your PIX Firewall to forward multicast traffic when the multicast router is on the inside interface, you need to use the mroute command.The syntax for this command is as follows:
mroute source source-mask in-interface dest dest-mask out-interface
The parameters for the mroute command are shown in Table 9-13.Table 9-13.mroute forward Command Parameters | Parameter | Description |
|---|
| source | The source address of the multicast transmission device | | source-mask | The network mask associated with the multicast source address | | in-interface | The interface on which the multicast traffic enters the PIX Firewall | | dest | The Class D address of the multicast group | | dest-mask | The network mask associated with the destination multicast address | | out-interface | The interface on which the multicast traffic leaves the PIX Firewall |
NoteTo clear static multicast routes created with the mroute command, you use the clear mroute command.To actually stop the PIX Firewall from forwarding multicast traffic, you use the no keyword in front of your original mroute command.igmp forward Command
To join a multicast group, the host IGMP message must reach the multicast router.The igmp forward command enables you to cause one PIX Firewall interface to pass IGMP messages to another interface.The syntax for this command is as follows:
igmp forward interface interface-name
The parameters for the igmp forward command are shown in Table 9-14.Table 9-14.igmp forward Command Parameters | Parameter | Description |
|---|
| interface | Keyword indicating that the next parameter will be an interface name | | interface-name | The name of the interface to forward the IGMP messages that are received on the current interface being configured |
igmp join-group Command
To statically configure the PIX Firewall to join a multicast group, you can use the igmp join-group command.This command is useful if you have clients who are unable to send the IGMP messages on their own.The syntax for this command is as follows:
igmp join-group group
The only parameter for the igmp join-group command is the multicast group (multicast address) that is statically being joined.Multicast addresses use the entire range of 224.0.0.0 through 239.255.255.255 (Class D addresses); however, you can configure a value only in the range of 224.0.0.2 through 239.255.255.255 for the igmp join-group command.NoteThe multicast address 224.0.0.0 is the base address for IP multicasting, and 224.0.0.1 is permanently assigned to a group that includes all IP hosts.igmp access-group Command
To limit which multicast groups (addresses) are allowed on a specific interface, you use the igmp access-group command.To use this command, you must first create an access list (using the access-list command) that defines the allowed multicast addresses.The syntax for this command is as follows:
igmp access-group access-list-id
igmp version Command
To define the IGMP version, you use the igmp version command.The syntax for this command is as follows:
igmp version 1|2
NoteThe default version for IP multicasting is 2.igmp query-interval Command
To configure the frequency, in seconds, at which IGMP query messages are sent by an interface, you use the igmp query-interval command.The default value is 60, but you can specify a value from 1 to 65535.The syntax for this command is as follows:
igmp query-interval seconds
NoteTo set the query interval back to the default value, you use the no igmp query-interval command.igmp query-max-response-time Command
When using IGMP version 2, you can specify the maximum query response time, in seconds, using the igmp query-max-response-time .The default value is 10, but you can configure a value in the range from 1 to 65535.NoteTo set the query interval back to the default value, you use the no igmp query-max-response-time command.Inbound Multicast Traffic
Allowing inbound multicast traffic involves the configuration shown in Figure 9-3.In this configuration, the multicast router is located outside the PIX Firewall and the hosts that want to receive multicast traffic are being protected by the PIX Firewall.
Figure 9-3.Inbound Multicast Configuration
 Because the hosts that need to receive the multicast traffic are separated from the multicast router by your PIX Firewall, you need to configure the PIX Firewall to forward IGMP reports from the hosts protected by the firewall to the multicast router.You also need to forward multicast transmissions from the multicast router.The following configuration steps enable this multicast configuration:
| Step 1. | Use the multicast interface command to enable multicast processing on a specific interface and place the interface in multicast promiscuous mode.This also places the command line in multicast subcommand mode, designated by the (config-multicast)# prompt. | | Step 2. | Use the igmp forward command to enable IGMP forwarding on the interfaces connected to hosts that will receive multicast transmissions.This also enables the interface to forward all IGMP Host Report and Leave messages. | | Step 3. | (Optional) If your network contains clients that cannot respond to IGMP messages but still require the reception of multicast traffic, you use the igmp join-group command to statically join the PIX Firewall to the specific multicast group. | | Step 4. | (Optional) Define an access list to define which Class D addresses (multicast addresses) are allowed to traverse the PIX Firewall.Then, use the igmp access-group command to apply the access list to a specific interface. |
Assume that you want to allow protected hosts to join the multicast group 224.0.1.100 from a multicast router that is located outside the protected network.To accomplish this, you would use the following commands:
pix515a(config)# access-list 120 permit udp any host 224.0.1.100
pix515a(config)# multicast interface outside
pix515a(config-multicast)# igmp access-group 120
pix515a(config-multicast)# exit
pix515a(config)# multicast interface inside
pix515a(config-multicast)# igmp forward interface outside
pix515a(config-multicast)# exit
Outbound Multicast Traffic
Allowing outbound multicast traffic involves the configuration shown in Figure 9-4.In this configuration, the multicast transmission source is located inside the PIX Firewall and the hosts that want to receive multicast traffic are not protected by the PIX Firewall.
Figure 9-4.Outbound Multicast Configuration
 When the multicast transmission source is on the protected or secure interface of the PIX Firewall, you must specifically configure the PIX Firewall to forward the multicast transmissions.The following configuration steps enable this multicast configuration:
| Step 1. | Use the multicast interface command to enable multicast forwarding on each PIX Firewall interface. | | Step 2. | Use the mroute command to create a static route from the multicast transmission source to the next-hop router interface. |
Suppose that your multicast router is located at 10.10.10.100 and broadcasting to the multicast group 230.0.1.100.To get the PIX Firewall to forward multicast transmissions from this multicast router to the outside interface, you would use the following commands:
pix515a(config)# multicast interface outside
pix515a(config-multicast) exit
pix515a(config)# multicast interface inside
pix515a(config-multicast)# mroute 10.10.10.100 255.255.255.255
inside 230.0.1.100 255.255.255.255 outside
pix515a(config-multicast)# exit
pix515a(config)#
Debugging Multicast
Not only can you configure IP multicasting, you can also debug the operation of your IP multicasting configuration.The commands that you use to do so fall into the following two categories:- Commands to view the multicast configuration
- Commands to debug multicast traffic
Commands to View the Multicast Configuration
You can use the following commands to view your multicast configuration:- show multicast
- show igmp
- show mroute
The show multicast command displays the multicast settings for either a specific interface or all the interfaces.The syntax for this command is as follows:
show multicast [ interface interface-name ]
If you do not specify an interface, then the information for all the PIX Firewall interfaces is displayed.The show igmp command displays information about either a specific IGMP group or all the IGMP groups for a specific interface.The syntax for this command is as follows:
show igmp [ group | interface interface-name ] [ detail ]
The final command that you can use to view your multicast configuration is show mroute , which displays the current multicast routes.Its syntax is as follows:
show mroute [destination [source]]
Commands to Debug Multicast Traffic
After you configure IP multicasting on your PIX Firewall, you may need to debug multicast traffic to identify configuration problems.Two commands that are useful for debugging multicast traffic are as follows:- debug igmp Enables debugging for IGMP events
- debug mfwd Enables debugging for multicast forwarding events
NoteTo disable either of these debugging commands, simply place a no in front of the command (for instance, no debug igmp ). |
لطفا منتظر باشید ...
