This article provides a general action plan for allowing the Dynamic Protocols traffic to pass through Security Gateway.
For more details about Dynamic Routing protocols, refer to these Advanced Routing Administration Guides and to the relevant documents (RFC) available on the Internet:
| OS |
Guides |
| SecurePlatform |
|
| Gaia |
|
After performing the necessary configuration steps in SmartDashboard, install the policy on the Security Gateways.
List of protocols:
-
Allowing OSPF
-
Allowing BGP
-
Allowing PIM
-
Allowing RIP (v1, v2)
-
Allowing IGRP
(1) Allowing OSPF
Related Solutions:
An OSPF rule looks like this - the Destination address is always the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 (All OSPF Routers) and 224.0.0.6 (All Designated Routers).
- Create a Host object that represents 224.0.0.1 (All OSPF Hosts) and call it, for example '
ALLSYSTEMS.MCAST.NET'.
- Create a Host object that represenst 224.0.0.5 (All OSPF Routers) and call it, for example '
OSPF-ALL.MCAST.NET'.
- Create a Host object that represents 224.0.0.6 (All Designated Routers) and call it, for example '
OSPF-DSIG.MCAST.NET'.
| Source |
Destination |
Service |
Action |
Install On |
OSPF Routers
Relevant Security Gateways |
'ALLSYSTEMS.MCAST.NET' (224.0.0.1)
'OSPF-ALL.MCAST.NET' (224.0.0.5)
'OSPF-DSIG.MCAST.NET' (224.0.0.6)
OSPF Routers
Relevant Security Gateways |
ospf
igmp |
Accept |
Relevant Security Gateways |
(2) Allowing BGP
Related Solutions:
BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. Make a group of the GP peers and allow the group with the following rule:
| Source |
Destination |
Service |
Action |
Install On |
BGP Peers
Relevant Security Gateways |
BGP Peers
Relevant Security Gateways |
bgp |
Accept |
Relevant Security Gateways |
(3) Allowing PIM
Related Solutions:
To allow Sparse Mode PIM Traffic or Dense Mode PIM Traffic:
- Create a Host object that represents 224.0.0.13 (PIM v2) and call it, for example '
PIM.MCAST.NET'.
- Create a custom service in SmartDashboard → tab '
Services' → '?? Other' → right mouse click → 'New Other...':
- Under '
Name:' type, for example 'PIM_service'
- Under '
IP Protocol:' type 103 (Note: this is the number assigned to PIM protocol)
Then create the following rule at the very top of the rulebase:
| Source |
Destination |
Service |
Action |
Install On |
Relevant Security Gateways
PIM neighbors |
'PIM.MCAST.NET' (224.0.0.13)
|
PIM_service
igmp |
Accept |
Relevant Security Gateways |
(4) Allowing RIP (v1, v2)
Related Solutions:
(4-A) RIP version 1
RIPv1 runs over UDP port 520. It sends and receives all messages on this port. All messages are sent to the local broadcast address. To enable RIPv1, add a rule to allow all the neighbors of the Security Gateway to send messages to UDP port 520 on the local broadcast network.
| Source |
Destination |
Service |
Action |
Install On |
| Neighbor_1 |
Network_1_Broadcast_Address |
rip |
Accept |
Relevant Security Gateways |
| Neighbor_2 |
Network_2_Broadcast_Address |
rip |
Accept |
Relevant Security Gateways |
| Neighbor_3 |
Network_3_Broadcast_Address |
rip |
Accept |
Relevant Security Gateways |
(4-B) RIP version 2
RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport - 224.0.0.9 (RIP v2). To enable RIPv2 in multicast mode, create a Host object that represents 224.0.0.9 and call it, for example 'RIP2-ROUTERS.MCAST.NET'.
| Source |
Destination |
Service |
Action |
Install On |
| Neighbors |
'RIP2-ROUTERS.MCAST.NET' (224.0.0.9) |
rip |
Accept |
Relevant Security Gateways |
(5) Allowing IGRP
IGRP runs on top of IP. IGRP has protocol number 9 assigned to it. Define a group of neighbor routers that participate in IGRP routing, and allow the IGRP traffic on the relevant Security Gateways:
| Source |
Destination |
Service |
Action |
Install On |
| Neighbors |
Relevant Security Gateways |
igrp |
Accept |
Relevant Security Gateways |
|
Imported from Nokia support database
|
