Multicasting, Protocol independent multicast (pim), Securing remote access using ipsec vpn – Foundry Networks AR3202-CL User Manual

Multicasting

Traditional multicast routing mechanisms such as Distance Vector Multicast Routing Protocol (DVMRP) and Multicast Open
Shortest Path First (MOSPF) were intended for use within regions where groups are densely populated or bandwidth is
universally plentiful. When groups, and senders to these groups, are distributed sparsely across a wide area, these “dense
mode” schemes do not perform efficiently.

Protocol Independent Multicast (PIM)

Protocol Independent Multicast (PIM) protocols route multicast packets to multicast groups. PIM is protocol independent
because it can leverage whichever unicast routing protocol is used to populate unicast routing table. There are two modes
of PIM protocol – Dense mode (DM) and Sparse mode (SM). Foundry supports SM only.

PIM-DM floods multicast traffic throughout the network initially and then generates prune messages as required. PIM-SM
attempts to send multicast data only to networks which have active receivers. This is achieved by having a common
Rendezvous Point (RP) known to the senders and receivers and by forming shared trees from the RP to the receivers.

PIM-SM is described in RFC 2362.

Securing Remote Access Using IPSec VPN

This feature allows AR-series router administrators to form a security tunnel to join two private networks over the Internet.
The following examples show how to set up an end-to-end tunnel with a single proposal and pre-shared key authentication,
with multiple proposals and pre-shared key authentication, and with an SA Bundle, and pre-shared key authentication.

The corporate network no longer has a clearly defined perimeter inside secure building and locked equipment closets.
Increasingly, companies have a need to provide remote access to their corporate resources for the employees on the
move.

Traditionally, remote users could access the corporate LAN through dial-up and ISDN lines which were terminated in the
corporate remote access servers. However, these point-to-point connection technologies do not scale well to the growing
number of remote users and the corresponding increase in the infrastructure investments and maintenance costs.

A solution to meeting the needs of increasing numbers of remote users and for controlling access costs is to provide
remote access through the Internet using firewalls and a Virtual Private Network (VPN). Internet Protocol Security (IPSec)
keeps the connection safe from unauthorized users.

In a typical IPSec remote access scenario, the mobile user has connectivity to Internet and an IPSec VPN client loaded on
their PC. The remote user connects to the Internet through their Internet service provider and then initiates a VPN
connection to the IPSec security gateway (the VPN server) of the corporate office, which is typically an always-on Internet
connection.

One of the main limitations in providing remote access is the typical remote user connects with a dynamically assigned IP
address provided by the ISP. IPSec uses the IP address of users as an index to apply the Internet Key Exchange (IKE) and
IPSec policies to be used for negotiation with each peer. When the VPN client has a dynamic IP address, the VPN server
cannot access the policies based on the IP address of the client. Instead, the VPN server uses the identity of the VPN client
to access the policies.

2082

RIP-II MD5 Authentication

Table 4.3: RIP RFC Compliance