wg-multicast - Re: Multicasts and Firewalls
Subject: All things related to multicast
List archive
- From: Toerless Eckert <>
- To: Peter John Hill <>
- Cc: Fred Zalupski <>, I2 Multicast Working Group <>
- Subject: Re: Multicasts and Firewalls
- Date: Thu, 15 May 2003 10:57:51 -0700
On Thu, May 15, 2003 at 01:37:06PM -0400, Peter John Hill wrote:
> Apparently with PIX firewalls, you need to have a router in front of the
> firewall and a gre tunnel through the firewall for multicast traffic. Let's
> have a vote, who thinks this sounds like a fun thing to set up? It would be
> nice if the PIX could do everything at layer 2 and did not need to be the
> router. I do believe that the newer code does allow that. I think they also
> added dhcp relay and ospf to the devices.
PIX firewall does support IGMP proxy routing in the newer versions of
the software (forgot the numbers). That of course is primarily useful
if you put it at the edge of the network and not necessarily between
PIM routers n a demarcation area. If you put it between Cisco IOS routers
you could probably make it work together with IGMP mroute-proxy configuration
on the Cisco IOS routers, but we have never tried to do that. If you're
desparate to have something working yesterday, maybe it's worth a try.
I don't know wether or not it's possible to have the PIX (or for that
matter any comparable firewall) be configured that it's invisible to
the neighboring routers at L3 - i always thought that that would be a
a great way to avoid router admins to consciously have to deal with a
firewall. Nevertheless, as soon as you want to do this on more than
just 2 interfaces bridged between each other and you want to support
IP Multicast, you most likely want to have something like IGMP Snooping
and PIM Snooping or RGMP on the firewall, and that isn't really any
easier than having that firewall support IGMP and PIM routing in the
first place.
I guess in general you simply want the firewall to support PIM routing,
and you should make that request to whoever sold you your firewall ;-))
Cheers
Toerless
>
> Of course, here at CMU, we do not have any firewalls that are run by the
> computing services organization, so I may not be the best person to help
> you.
>
> here it the link to cisco's doc, cco account req'd
> <http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800943fe.shtml>
>
> --On Thursday, May 15, 2003 9:33 AM -0400 Fred Zalupski
> <>
> wrote:
>
> >One of our member institutions is looking for advice from someone using a
> >firewall in a multicast-enabled environment. They recently installed a
> >Nortel Shasta (same look and feel as Checkpoint, he reports) and
> >subsequently discovered a problem receiving content. Anyone willing to
> >pass along
> >advice or experience, please contact me and I'll put you in touch with my
> >subscriber.
> >
> >Thanks and regards, all,
> >
> >--
> >Fred F. Zalupski
> >Engineering and Operations Coordinator
> >MAGPI GigaPoP, University of Pennsylvania
> >tel 215-573-6417
> >fax 215-898-9348
> >www.magpi.net
> >
> >
>
>
>
--
Thanks
Toerless Eckert
- Multicasts and Firewalls, Fred Zalupski, 05/15/2003
- Re: Multicasts and Firewalls, Peter John Hill, 05/15/2003
- Re: Multicasts and Firewalls, Toerless Eckert, 05/15/2003
- Re: Multicasts and Firewalls, Joel Jaeggli, 05/17/2003
- <Possible follow-up(s)>
- RE: Multicasts and Firewalls, Kelly, Vaughn [NCSUS Non J&J], 05/15/2003
- RE: Multicasts and Firewalls, Kelly, Vaughn [NCSUS Non J&J], 05/15/2003
- Re: Multicasts and Firewalls, Peter John Hill, 05/15/2003
Archive powered by MHonArc 2.6.16.