SMR Agreement with Clients
on a Added Defended Interface
In this case, a multicast router and a server are on the alfresco interface of the PIX
firewall, and audience are on the inside.The PIX needs to be able to canyon multicast
traffic from the server and IGMP requests from the router to the central hosts. It
also needs to canyon IGMP letters from the centralized hosts to the alfresco router.
All SMR configurations alpha with the afterward agreement mode
command:
multicast interface
This command enables multicast appearance on the defined interface.The interface
is placed into multicast abandoned mode, and it enters a submode of multicast
configuration for a specific interface. (This is a attenuate case with the PIX
because there are actual few submodes in agreement mode.) An alternative maxgroups
parameter defines the cardinal of multicast groups that can arise on the
interface at any accustomed time.The absence ambience is 500; the cardinal can be up to
2000.This approach has subcommands like this:
igmp
www.syngress.com
Figure 4.13 IGMP Acclimated to Report Associates in a Multicast Group
Client 1
Client 2
Client 3
Multicast Server
Client 4
Server sends transmissions
to accumulation 224.0.1.1
"Who is in
224.0.1.1?"
"Who is in
224.0.1.1?"
"I am in
224.0.0.1"
"I am in
224.0.1.1"
Only Client 3 and Client 4 are in this group, so they
are the alone hosts that acknowledgment to the router's request.
When manual starts, the router will only
forward it to these two hosts.
The router periodically asks for
group associates reports.
Advanced PIX Configurations • Chapter 4 205
NOTE
To set the adaptation of IGMP used, use the igmp adaptation {1 | 2} subcommand
under the multicast command.
In our case, the PIX needs at atomic to be able to accept multicast transmissions
on its alfresco interface, so we charge to configure:
PIX(config)# multicast interface outside
Actually, there is not abundant added to configure on the alfresco interface.We
can optionally configure some counters and agreement options or admission control,
but this is not specific for a case and is declared later. After departure this multicast
configuration approach (but while we’re still in agreement mode), we charge to
configure multicast on the central interface:
PIX1(config)# multicast interface inside
The central interface needs some added configuration. After we access this mode,
we charge to configure the interface to which the PIX should advanced all IGMP
messages from clients.This is the beneath defended interface area the router is located:
PIX1(config-multicast)# igmp advanced interface outside
Don’t balloon that this command is entered while we are in the interface
multicast agreement mode. Alfresco is the interface name to advanced IGMP
messages to from the interface actuality configured. If you accept a multicast router
on an interface called dmz1, the command will attending like:
PIX1(config-multicast)# igmp advanced dmz1
If any audience on the central arrangement are not IGMP-capable, but we still want
them to accept multicast cartage from some group, we charge to configure the
inside interface to accompany this multicast accumulation statically with the command:
igmp join-group
For example:
PIX1(config-multicast)# igmp join-group 224.1.1.1
With this interface configured, the PIX alfresco interface acts as a host interested
in accepting transmissions for this group, and again the accustomed abstracts will be
forwarded to the central network. Here is an archetype of the simplest multicast
configuration:
www.syngress.com
206 Chapter 4 • Advanced PIX Configurations
PIX1(config)# multicast interface outside
PIX1(config-multicast)# exit
PIX1(config)# multicast interface inside
PIX1(config-multicast)# igmp advanced interface outside
Here is a added complicated archetype with non-IGMP able multicast
clients who appetite to accept transmissions for accumulation 224.10.0.9:
PIX1(config)# multicast interface outside
PIX1(config-multicast)# exit
PIX1(config)# multicast interface inside
PIX1(config-multicast)# igmp advanced interface outside
PIX1(config-multicast)# igmp join-group 224.10.0.9
Clients on two interfaces, central and dmz:
PIX1(config)# multicast interface outside
PIX1(config-multicast)# exit
PIX1(config)# multicast interface inside
PIX1(config-multicast)# igmp advanced interface outside
PIX1(config-multicast)# exit
PIX1(config)# multicast interface dmz
PIX1(config-multicast)# igmp advanced interface outside