igmp access-group Command

igmp access-group Command
To limit which multicast groups (addresses) are allowed on a specific interface, you use the
igmp access-group command. To use this command, you must first create an access list (using
the access-list command) that defines the allowed multicast addresses. The syntax for this
command is as follows:
igmp access-group access-list-id
igmp version Command
To define the IGMP version, you use the igmp version command. The syntax for this
command is as follows:
igmp version 1 | 2
igmp query-interval Command
To configure the frequency, in seconds, at which IGMP query messages are sent by an
interface, you use the igmp query-interval command. The default value is 60, but you can
specify a value from 1 to 65,535. The syntax for this command is as follows:
igmp query-interval seconds
pim Command
PIM support will be enabled on all interfaces by default if the multicast-routing command
has been used. If PIM support has been disabled on an interface, you can re-enable it by using
the pim command in interface-configuration mode. To disable PIM support on an interface,
use the no pim command.

multicast interface Command

multicast interface Command
The multicast-routing command enables PIM and IGMP on all interfaces. The syntax for this
command is
[no] multicast-routing
mroute Command
To configure your Security Appliance to forward multicast traffic when the multicast router
is on the inside interface, you need to use the mroute command. The syntax for this
command is as follows:
mroute source source-mask in-interface dest dest-mask out-interface
The parameters for the mroute command are shown in Table 11-13.
Table 11-13 mroute Command Parameters
Parameter Description
source The source address of the multicast transmission device
source-mask The network mask associated with the multicast source address
in-interface The interface on which the multicast traffic enters the Security Appliance

Multicast Commands

Multicast Commands
Configuring multicast functionality on your Security Appliance requires you to understand
various multicast configuration commands. The major multicast configuration commands
are as follows:
■ multicast routing
■ mroute command
■ igmp
■ igmp forward
■ igmp join-group
■ igmp access-group
■ igmp version
■ igmp query-interval
■ igmp query-max-response-time
■ pim
■ pim rp-address

Multicast Routing

Multicast Routing
IP multicasting is a mechanism that conserves network bandwidth by delivering a stream of
information simultaneously to multiple recipients. Some common applications that take
advantage of IP multicasting include the following:
■ Video conferencing
■ Distance learning
■ News feeds
IP multicasting actually involves sending an IP packet to a single multicast IP address.
Routers send Internet Group Management Protocol (IGMP) query messages to locate hosts
that belong to any multicast groups (wishing to receive specific multicast traffic). Any host
that wishes to receive multicast traffic must join the multicast group by using an IGMP report
message that indicates all the multicast groups to which it belongs. When a host no longer
wishes to receive a multicast data stream, it sends an IGMP Leave message to the multicast
router.
With the introduction of software version 7.0, the Security Appliances can now support PIM
sparse-mode. Sparse-mode PIM defines a rendezvous point (RP) for the Security Appliance
that keeps track of multicast groups. Instead of flooding the network to determine the status
of the multicast member, a receiver that wants to send data can register with the RP. Sparsemode
PIM assumes that hosts do not want to participate in multicast traffic unless they
specifically request it.
If several Security Appliances are participating in multicast traffic on a network segment,
PIM requires that a designated router (DR) be assigned. A DR is responsible for sending PIM
register, join, and prune messages to the RP. This reduces the amount of noise that can be
created if each multicast Security Appliance sends duplicate requests to the RP.
You can configure your Security Appliance to act as a Stub Multicast Router (SMR) because
it forwards requests only between end hosts and multicast routers. Instead of supporting the
functionality of a fully operational multicast router, the Security Appliance functions only as
an IGMP proxy agent. To illustrate the configuration tasks associated with configuring your
Security Appliance as an SMR, you need to understand the following topics:
■ Multicast commands
■ Inbound multicast traffic
■ Outbound multicast traffic
■ Debugging multicast

Viewing the OSPF Configuration

Viewing the OSPF Configuration
After setting up OSPF on your Security Appliance, it helps to view parts of the configuration.
Using the show ospf command, you can view the general information about the OSPF
routing processes. When you enter this command, you see output similar to Example 11-2,
depending on the OSPF features that you have configured.
NOTE To enable password authentication (using a password of R5!s4&Px*) for the
same router (instead of using MD5), you would use the following commands:
pix515a(config)# router ospf 1
pix515a(config-router)# area 172.16.1.0 authentication
pix515a(config-router)# area 172.16.1.0 virtual-link 172.16.1.250 authentication
authentication-key
R5!s4&Px*
Example 11-2 Output from the show ospf Command
pix515a# show ospf
Routing Process "ospf 1" with ID 192.168.10.80 and Domain ID 0.0.0.1
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x 0
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
External flood list length 0
pix515a(config)#

PIX OSPF Network

PIX OSPF Network
Configuring OSPF on your Security Appliance requires you to perform the following steps:
Step 1 Enable OSPF.
Step 2 Define the Security Appliance interfaces that need to run OSPF.
Step 3 Define OSPF areas.
Step 4 Configure LSA filtering to protect private addresses.
Using the configuration shown in Figure 11-2, the following commands configure OSPF
based on the scenario described:
pix515a(config)# router ospf 1
pix515a(config-router)# area 0 filter-list prefix ten in
pix515a(config-router)# network 192.168.0.0 255.255.0.0 area 0
pix515a(config-router)# network 172.16.1.0 255.255.255.0 area 172.16.1.0
pix515a(config-router)# network 10.10.10.0 255.255.255.0 area 10.10.10.0
pix515a(config-router)# prefix-list ten deny 10.10.10.0/24
pix515a(config)#
pix515a(config)# router ospf 1
pix515a(config-router)# prefix-list ten permit 172.16.1.0/24
pix515a(config)#

Configuring OSPF

Configuring OSPF
Figure 11-2 shows a typical OSPF deployment configuration. In this configuration, a PIX
Firewall is operating as an ABR. Because you do not want the information about private
networks sent out on the public interface, LSA filtering is applied to the Internet interface.
NAT is applied only to the inside interface (for the private networks).
In this configuration, the inside interface learns routes from both the DMZ and the outside
interface, but you do not want private routes to be propagated to either the DMZ or the
public interfaces.
ASBR
An ASBR is located on the edge of your OSPF autonomous system and is responsible for
advertising external routes for the entire OSPF autonomous system.
IP

network Command Parameters

network Command Parameters
Parameter Description
prefix-ip-address IP address of the network being configured.
netmask The network mask, which indicates the number of addresses covered by the
area (for example, a Class C network pertains to 256 different addresses and is
specified as 255.255.255.0).
area Keyword indicating that the area information will follow.
area-id The ID of the area to be associated with this OSPF address range.

OSPF Commands

OSPF Commands
To configure OSPF on your Security Appliance, you use various commands. To enable OSPF
on your PIX Firewall, you use the router ospf command. The syntax is as follows:
router ospf pid
The pid represents a unique identification for the OSPF routing process in the range from 1
to 65,535. Each OSPF routing process on a single Security Appliance must be unique, and
Security Appliance Version 6.3 supports a maximum of two different OSPF routing
processes.
After you issue the router ospf command, the Security Appliance command prompt enters a
subcommand mode indicated by a command prompt similar to the following:
pix515a(config-router)#
In subcommand mode, you can configure various OSPF parameters (see Table 11-9).
NOTE Your Cisco Security Appliance can filter only Type 3 LSAs. If you configure your
Security Appliance to function as an ASBR in a private network, then information about
your private networks will be sent to the public interfaces, because Type 5 LSAs describing
private networks will be flooded to the entire autonomous system (including the public
areas) unless you configure two separate OSPF processes.
Table 11-9 router ospf Subcommand Options
Parameter Description
area Configures OSPF areas
compatible Runs OSPF in RFC 1583 compatible mode
default-information Distributes a default route
distance Configures administrative distances for OSPF process
ignore Suppresses syslog for receipt of Type 6 (MOSPF) LSAs
log-adj-changes Logs OSPF adjacency changes

OSPF Overview

OSPF Overview
Route propagation and greatly reduced route convergence times are two of the many benefits
that occur by using OSPF. OSPF is widely deployed in large internetworks because of its
efficient use of network bandwidth and its rapid convergence after changes in topology. The
Cisco Security Appliance implementation supports intra-area, interarea, and external routes.
The distribution of static routes to OSPF processes and route redistribution between OSPF
processes are also included.
An OSPF router that has interfaces in multiple areas is called an Area Border Router (ABR).
A router that redistributes traffic or imports external routes (Type 1 or Type 2) between
routing domains is called an Autonomous System Boundary Router (ASBR). An ABR uses
link-state advertisements (LSA) to send information about available routes to other OSPF
routers. Using ABR Type 3 LSA filtering, you can have separate private and public areas,
with the Security Appliance acting as an ABR. Type 3 LSAs (interarea routes) can be filtered
from one area to another. This lets you use NAT and OSPF together without advertising
private networks.
The Security Appliance OSPF supported features are as follows:
■ Support for intra-area, interarea, and external routes
■ Support for virtual links
■ Authentication for OSPF packets
■ The capability to configure the Security Appliance as a designated router, ABR, and
limited ASBR
■ ABR Type 3 LSA filtering
■ Support for stub and not so stubby areas (NSSA)
■ Route redistribution
OSPF Commands
To configure OSPF on your Security Appliance, you use various commands. To enable OSPF
on your PIX Firewall, you use the router ospf command. The syntax is as follows:
router ospf pid
The pid represents a unique identification for the OSPF routing process in the range from 1
to 65,535. Each OSPF routing process on a single Security Appliance must be unique, and
Security Appliance Version 6.3 supports a maximum of two different OSPF routing
processes.
After you issue the router ospf command, the Security Appliance command prompt enters a
subcommand mode indicated by a command prompt similar to the following:
pix515a(config-router)#
In subcommand mode, you can configure various OSPF parameters (see Table 11-9).
NOTE Your Cisco Security Appliance can filter only Type 3 LSAs. If you configure your
Security Appliance to function as an ASBR in a private network, then information about
your private networks will be sent to the public interfaces, because Type 5 LSAs describing
private networks will be flooded to the entire autonomous system (including the public
areas) unless you configure two separate OSPF processes.