Refer to the Exhibit. A Cisco security appliance has been inserted between a multicast source and its receiver, preventing multicast traffic between them. What is the best solution to address this problem?
A.
Create a static route on the multicast source and receiver pointing to the outside and inside interfaces of the security appliance respectively
B.
Configure a GRE tunnel to allow the multicast traffic to bypass the security appliance
C.
Configure SMR so the security appliance becomes an IGMP proxy agent, forwarding IGMP messages from hosts to the upstream multicast router
D.
Configure the security appliance as an IGMP multicast client
E.
Configure the security appliance as the rendezvous point of the multicast network so that (*, G) trees traverse it
Explanation:
A security appliance is nothing more than a Cisco PIX or an ASA.A is wrong because
Multicast Support (IGMP v2 and Stub Multicast Routing) This release enables you to statically configure multicast routes or use an IGMP helper address for forwarding IGMP reports and leave announcements.
The following summarizes multicast support in this release:NAT and PAT can be performed on the multicast packet source addresses only.
IGMP packets for address groups within the 224.0.0.0-224.0.0.255 range are not forwarded because these addresses are reserved for protocol use. NAT is not performed on IGMP packets. When IGMP forwarding is configured, the adaptive security appliance forwards the IGMP packets (report and leave) with the IP address of the helper interface as the source IP address.
Multicast Support
PIM sparse mode was added to allow direct participation in the creation of a multicast tree using PIM-SM. This capability extends existing multicast support for IGMP forwarding and for Class D access control policies and ACLs. PIM-SM provides an alternative to transparent mode operation in multicast environments.
The pim commands and the multicast-routing command added support to the new functionality in addition to the show mrib EXEC command in this feature. For more information, see the “Configuring Multicast Routing” section in the Cisco Security Appliance Command Line Configuration Guide.
For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
http://www.cisco.com/en/US/docs/security/asa/asa70/release/notes/asa_rn.html#wp208194 B is incorrect because of the following:
As explained in the PIX documentation, the PIX Firewall does not pass multicast packets, even though many routing protocols use multicast packets to transmit their data. Cisco considers it inherently dangerous to send routing protocols across the PIX Firewall. If the routes on the unprotected interface are corrupted, the routes transmitted to the protected side of the firewall pollute routers there as well.Note: At this time, you cannot terminate GRE tunnels on the PIX. In order to terminate a GRE tunnel, you need a virtual tunnel interface. At this time, however, PIX version 7.0 only supports physical and logicalinterfaces.
http://www.cisco.com/warp/public/707/tunnel_pix.pdf
C is incorrect because of the following:
Configuring a Static Rendezvous Point Address
All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP address. The address is statically configured using the pim rp-address command.The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address command to specify the RP address.
Answer D is incorrect because
Configuring a Static Multicast Route
When using PIM, the security appliance expects to receive packets on the same interface where it sends unicast packets back to the source. In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another.
Static multicast routes are not advertised or redistributed. To configure a static multicast route for PIM, enter the following command:
hostname(config)# mroute src_ip src_mask {input_if_name | rpf_addr) [distance]To configure a static multicast route for a stub area, enter the following command:
hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance]The dense output_if_name keyword and argument pair is only supported for stub multicast routing.
Answer E more information
For More Information about Multicast Routing
The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature:
RFC 2236 IGMPv2
RFC 2362 PIM-SM
RFC 2588 IP Multicast and Firewalls
RFC 2113 IP Router Alert Option
IETF draft-ietf-idmr-igmp-proxy-01.txt
Answer highlights C as correct, following explanation explains why C is wrong.
@Riley the explanations are according to the following options and not according to the options mentioned above.
A. Configure the security appliance as an IGMP multicast client.
B. Configure a GRE tunnel to allow the multicast traffic to bypass the security appliance.
C. Configure the security appliance as the rendezvous point of the multicast network so that all (*, G) trees
traverse it.
D. Create a static route on the multicast source and receiver pointing to the outside and inside interfaces of the
security appliance.
E. Configure SMR so the security appliance becomes an IGMP proxy agent, forwarding IGMP messages from
hosts to the upstream multicast router