Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
186
Views
0
Helpful
0
Comments

Configuration of Internet Group Management Protocol (IGMP) on ISA500 Series Integrated Security Appliances

smallbusiness
Community Manager
Community Manager

‎08-18-2017 07:59 PM - edited ‎03-21-2019 12:42 AM

Article ID:3099

Configuration of Internet Group Management Protocol (IGMP) on ISA500 Series Integrated Security Appliances

Objective

Internet Group Management Protocol (IGMP) allows the hosts and its adjacent routers to establish multicast group membership, which helps to use the network resources efficiently for applications such as online streaming and gaming.

Note: By default, the firewall on the security appliance blocks the multicast traffic from any zone to any other zone.

The objective of this article is to explain how to configure the following on the ISA500 Series Integrated Security Appliances:

• Allow multicast packets to the device.

• Create a firewall rule to permit multicast traffic from any zone to any zone. For example, to create a firewall rule to permit multicast traffic from Wide Area Network (WAN) to Local Area Network (LAN) of a security appliance.

• Enable IGMP Proxy and IGMP Snooping.

Applicable Devices

• ISA500 Series Integrated Security Appliances.

Software Version

• v1.4.14 - ISA500

Configuration of IGMP

Allow the Multicast Packets

Step 1. Log in to the ISA500 series configuration utility and choose Firewall > Attack Protection. The Attack Protection page opens:

Step 2. Uncheck the Block Multicast Packets check box to allow the multicast packets to the security appliance.

Step 3. Click Save to save the settings.

Configuration of Firewall Rule to Allow Multicast Traffic

Step 1. Use the ISA500 Series Configuration Utility to choose Firewall > Access Control > ACL Rules. The ACL Rules page opens:

Step 2. Click Add to add a new firewall rule.

The Rule - Add/Edit window opens:

Step 3. Click the On radio button in the Enable field to enable the firewall rule.

Step 4. In the From Zone drop-down list, choose the desired source zone of traffic to apply the ACL rule. In this example, WAN is selected.

Step 5. In the To Zone drop-down list, choose the desired destination zone of traffic to apply the ACL rule. In this example, LAN is selected.

Step 6. In the Services drop-down list, choose the service that ACL covers. In this example, Any is selected to cover all the services to the ACL rule.

Step 7. In the Source Address drop-down list, choose the source address for the ACL rule to cover. In this example, Any is selected to cover any source address.

Step 8. Choose the desired destination address from the Destination Address drop-down list. In this example, IPv4_Multicast is selected.

Step 9. Choose Always on from the Schedule drop-down list to enable the rule at all the time.

Step 10. Click the On radio button in the Log field to log each use of the ACL rule. Otherwise, click the Off radio button.

Step 11. Choose Permit from the Match Action drop-down list to permit the IPv4 multicast traffic to flow from WAN to LAN.

Step 12. Click OK to add the configured rule into the Access Control List.

The newly configured rule is added to the Access Control List table.

Enable IGMP Proxy and IGMP Snooping

IGMP Proxy enables hosts that are not directly connected to a downstream router to join a multicast group sourced from an upstream network. IGMP Snooping constrains IPv4 multicast traffic at Layer 2 by configuring Layer 2 LAN ports dynamically to forward IPv4 multicast traffic only to those ports that want to receive it. Follow the steps given below to enable IGMP Proxy and IGMP Snooping.

Step 1. Use the ISA500 Series Configuration Utility, and choose Networking > IGMP. The IGMP page opens:

Step 2. Click the On radio button in the IGMP Proxy field to enable the IGMP proxy on the device.

Step 3. Click the desired radio button in the IGMP Version field.

The options are described as follows:

• Version 1 — Allows the hosts to leave a multicast group without any leave messages to the router. The router uses a time-out based mechanism to determine the hosts that left the multicast group.

• Version 2 — Allows the hosts to send leave messages to the router which makes the termination process quick.

• Version 3 — Allows the host to configure the list of hosts from which it wants to receive multicast traffic. It can allow only the desired traffic.

Step 4. Click the On radio button in the IGMP Snooping field to enable the IGMP snooping on the device.

Step 5. Click Save to save the settings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents