Multicast and Firewalls

By Arvind Durai

Overview of Multicast support in FWSM from 3.x version

Cisco Secure Firewall Services Module (FWSM) release version 3.x introduces enhanced support of multicast in firewalls. The support available in FWSM after the 3.0 release is:

  • In single context routed mode, PIM routing, bi-directional PIM, and IGMP v1/v2 are supported.
  • Topologies with PIM neighbors are supported.
  • Destination Network Address Translation (NAT) is supported with multicast streams (as well as source NAT).
  • All packet replications are handled by the FWSM directly.
  • Enhancements to allow the transparent FWSM forwards multicast traffic through hardware shortcuts.

Multicast Feature in FWSM 3.x Code Release

Diagram 1

Diagram 1

Diagram 1

The following design methods are available to pass multicast traffic through firewalls:

  1. For the 3.x code release or later, use the FWSM in the single context routed mode. The FWSM can participate as a PIM router. After enabling multicast routing in the FWSM, PIM and IGMP are enabled by default on the interface. No explicit command is needed to enable PIM or IGMP.
  2. GRE passes the multicast traffic through the tunnel. This is used as a solution quite often. The FWSM does not need a special configuration for configuring multicast. However, access list configuration is needed in the FWSM to allow GRE packets to pass through the FWSM. The routing at the Layer 3 device that sources and terminates the GRE needs to be configured, to verify if the multicast traffic takes a correct RPF interface toward the source, receivers, and the RP. GRE can be used for multiple context routed mode. In this method, the FWSM does not inspect the multicast packet encapsulated in GRE header.
  3. In transparent firewalls through ACLs, the firewall passes the traffic in single context and multiple context modes. In the 3.x code version or later, the performance has been optimized for this configuration.
  4. When policy-based routing (PBR) is configured on Layer 3 first hop devices to the FWSM, the PBR will divert the traffic from the FWSM. Configuring multiple context modes for the multicast pass-through with PBR will need careful study of multicast congruency. Sometimes this might become a complex scenario to understand and troubleshoot.
  5. The FWSM can be configured as a stub network to pass the IGMP query to the upstream interface of the firewall. The FWSM does not participate in the PIM messages.


As more applications adapt to make the optimized use of bandwidth, dependence of these applications on multicast is becoming more prevalent. Therefore, there is an increasing requirement for multicast to traverse from one security domain to the other security domain. These design methods give options to support multicast via firewall (FWSM).

About the Author:

Arvind Durai is an Advanced Services Technical Leader for Cisco Systems. His primary responsibility has been in supporting major Cisco customers in Enterprise sector, some of which include Financial, Manufacturing, E-commerce, State Government, and Health Care sectors. One of his focuses has been on security and Arvind has authored several white papers, design guides in various technologies, and has co-authored Cisco press publication, ‘Cisco Secure Firewall Services Module (FWSM). Mr. Durai maintains two CCIE certifications in Routing and Switching, and Security. He also holds a Bachelor of Science degree in Electronics and Communication, a Master's degree in Electrical Engineering (MS) and Master's degree in Business Administration (MBA).

Arvind Durai

Cisco Secure Firewall Services Module (FWSM)

Cisco Secure Firewall Services Module (FWSM)
Ray Blair and Arvind Durai
ISBN-10: 1587053535
Pub Date: 8/29/2008
US SRP $65.00
Publisher: Cisco Press