Scribd
Upload
23 views

PIM Multicast Routing

The document discusses configuring PIM multicast routing on an ASA firewall to enable communication between multicast routers and endpoints. The key steps are: 1. Enable multicast routing and PIM on the firewall interfaces. 2. Configure the RP and limit IGMP states on the inside interface. 3. Verify the firewall establishes PIM adjacencies and that multicast traffic can flow.

Uploaded by

유중선
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

PIM Multicast Routing

The document discusses configuring PIM multicast routing on an ASA firewall to enable communication between multicast routers and endpoints. The key steps are: 1. Enable multicast routing and PIM on the firewall interfaces. 2. Configure the RP and limit IGMP states on the inside interface. 3. Verify the firewall establishes PIM adjacencies and that multicast traffic can flow.

Uploaded by

유중선
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

CCIE Security V4 Technology Labs  Section 5:

Perimeter Security and Services - ASA Firewalls


PIM Multicast Routing
Last updated: May 10, 2013

Task
Load the initial configuration files and enable PIM on ASA1's inside and outside interfaces.
ASA1 should use R2 as the RP.
The ASA should limit the number of IGMP states on the inside interface to 100, and the query
interval should be set to 30 seconds.
Ensure that R2 establishes PIM adjacency with the firewall.
Enable PIM on R1 and join the G0/0 interface to group 239.0.0.1.
Make sure that R2 can ping the multicast group 239.0.0.1 and that R1 replies.

Overview
In addition to acting as a stub multicast router, the ASA firewall is capable of becoming a normal
multicast-capable router. In this mode, the ASA will establish PIM (Protocol Independent Multicast)
adjacencies with neighboring multicast routers. This allows the firewall to signal the building of
multicast distribution trees with other routers.

The ASA supports only PIM Sparse Mode (PIM SM), which is a scalable multicast routing protocol.
The key feature of PIM SM is the use of a special router called a Rendezvous Point (RP), which
functions as the “meeting point” of multicast sources and receivers. The sources register with the
RP, and the subscribers build initial distribution trees to the same RP. This allows them to “meet,”
and this is why RP is so critical to the PIM SM network.

When configured for PIM Multicast routing mode, the ASA firewall accepts and processes IGMP
messages. In this configuration, there is no need to relay IGMP messages to a helper router. When
the firewall receives the proper IGMP message, it initiates the building of a multicast “subscription”
tree toward the RP, just as a normal multicast router would do.

There is a difference when it comes to the ASA, however. Cisco IOS routers support automatic
learning of the RP information via protocols such as BSR (bootstrap router), whereas the ASA only
supports static manual RP configuration using the command pim rp-address <IP>. When
configuring your firewall for PIM multicast routing, do not forget to enter this command, or the
multicast routing will not work.

There is another interesting effect to note. The ASA has a feature known as ICMP inspection, which
allows for a sort of "stateful inspection" of ICMP traffic. When this is enabled, pings to a multicast
group will fail through the ASA because the address in the response is different.
Here are the steps that required to enable PIM SM multicast routing in the ASA firewall:

1. Enable the multicast-routing command globally.


2. Configure the interface connected to the multicast network for PIM, using the pim command.
3. Configure the subscriber-facing interface for IGMP, possibly tuning IGMP settings using the igmp
command. In our task, we limit the number of IGMP states to 100, thereby allowing up to 100
members on the interface.
4. Configure the RP for the network, using the command pim rp-address. This completes the
multicast routing configuration.
Now you only need to ensure that the firewall has established PIM adjacencies with the multicast
network and that the ACLs permit multicast traffic flow.

Configuration
ASA1:

!
multicast-routing
!
pim rp-address 150.50.0.2
!
policy-map global_policy
class inspection_default
no inspect icmp
!
int e0/0
pim
!
int e0/1
pim
igmp limit 100
igmp query-interval 30
!
!

R1:

!
interface GigabitEthernet0/0
ip pim sparse-dense-mode
ip igmp join-group 239.0.0.1
end
Verification
Verify that R1 has the ASA as a PIM neighbor.

Rack1R1#sh ip pim neigh


PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable, G - GenID Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.0.0.12 GigabitEthernet0/0 01:58:08/00:01:38 v2 1 / DR G
Rack1R1#

Verify that R2 also has the ASA as a PIM neighbor.

Rack1R2#sh ip pim neigh


PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable, G - GenID Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
150.50.0.12 GigabitEthernet0/0 01:58:30/00:01:22 v2 1 / DR G
Rack1R2#

View the PIM neighbor from the ASA.

Rack1ASA1(config)# sh pim neigh

Neighbor Address Interface Uptime Expires DR pri Bidir

10.0.0.1 inside 01:58:42 00:01:34 1


150.50.0.2 outside 01:58:42 00:01:44 1
Rack1ASA1(config)#

Ping from R2 to the group.


Rack1R2#ping 239.0.0.1

Type escape sequence to abort.


Sending 1, 100-byte ICMP Echos to 239.0.0.1, timeout is 2 seconds:

Reply to request 0 from 10.0.0.1, 1 ms


Rack1R2#

Confirm that we are limiting the IGMP states and that the query interval is 30 seconds.

Rack1ASA1(config-if)# sh igmp interface


inside is up, line protocol is up
Internet address is 10.0.0.12/24
IGMP is enabled on interface
Current IGMP version is 2
IGMP query interval is 30 seconds
IGMP querier timeout is 65 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1 seconds
Inbound IGMP access group is:
IGMP limit is 100, currently active joins: 2
Cumulative IGMP activity: 2 joins, 0 leaves
IGMP querying router is 10.0.0.1
outside is up, line protocol is up
Internet address is 150.50.0.12/24
IGMP is enabled on interface
Current IGMP version is 2
IGMP query interval is 125 seconds
IGMP querier timeout is 255 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1 seconds
Inbound IGMP access group is:
IGMP limit is 500, currently active joins: 1
Cumulative IGMP activity: 1 joins, 0 leaves
IGMP querying router is 150.50.0.2

Rack1ASA1(config-if)#

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy