Regarding PIX multicast command- igmp join-group

Unanswered Question
Dec 28th, 2008

In case of multicasting it is mentioned that igmp join-group is used when the users(who need access to some multicast group) are not able to send the igmp join messages, then PIX firewall will join to the required multicast group on the behalf of those users.What that means?

Then how the PIX firewall will selectively forward the multicast traffic to these users.

Will it mean that the users who are not able to send igmp requests will not be able to send the igmp join requests even till PIX firewall OR will it mean that the PIX firewall will push the multicast traffic to the required users..but how the PIX firewall will know which users want multicast traffic until that users request reach the fiewall.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

PIX Firewall software version 6.2 enables you to statically configure multicast routes or use an Internet Group Management Protocol (IGMP) helper address for forwarding IGMP reports and leave announcements.

This list summarizes multicast support in this release.

*

Access list filters can be applied to multicast traffic to permit or deny specific protocols and ports.

*

Network Address Translation (NAT) and Port Address Translation (PAT) can be performed on the multicast packet source addresses only.

*

Multicast data packets with destination addresses in the 224.0.0.0/24 address range are not forwarded. However, everything else in the 224.0.0.0/8 address range is forwarded.

*

IGMP packets for address groups within the 224.0.0.0 through 224.0.0.255 range are not forwarded because these addresses are reserved for protocol use.

*

NAT is not performed on IGMP packets. When IGMP forwarding is configured, the PIX forwards the IGMP packets (report and leave) with the IP address of the helper interface as the source IP address.

HTH>

palsukh2002 Mon, 12/29/2008 - 16:33

Thanks for your reply

But I could not understand above in relation to igmp join-group command.

I understand that the users who can send their igmp request messages (through PIX FW) to the multicast source can join the multicast group and we can enable the igmp forward from one interface to another.But my question is about the users who cannot send the igmp query message to the multicast source.

palsukh2002 Tue, 12/30/2008 - 16:06

No actually

I am not asking any question about igmp V1 or 2.But My query is (as one of the cisco document says):-

1. Some clients(users) can send the igmp join request to the multicast source (through PIX Firewall) and they will get the multicast.

2. But some clients cannot sent the igmp join requests ,for these clients PIX will join the multicast group on behalf of these clients and then forward the multicast to these clients.My Question is how the Firewll will select that which clients(the one for which PIX has join the multicast group on their behalf) want multicast traffic--because their may still be some clients which may not want multicast.--Then how the PIX will selectively send multicast to the one who require it.OR it is like this that PIX will send multicast to all the clients(except the clients who has already joined some multicast group as mentioned in Point No. 1).

Ahhhh now I understand what you mean. If a client does not know that it wants to recevie multicast traffic - then it does not recevie it. BUT if the PIX is configured IGMP/Multicasting, and it has a muticast group address it acts as a multicast proxy device. IF the PIX is connected to a cisco switch - if the switch is or is not not configured for multicasting it's simple. The switch treats all UNKNOWN multicast packets the same way as a broadcast packet - it sends all unknown multicast packets out all interfaces except the one it was recevied on.

HTH>

Actions

This Discussion