Virtual Routers

In large networks, it often happens that multiple logical networks use the same network devices for their traffic. This traffic needs to be separated at the devices, first and foremost to reduce the risk of unauthorized cross-network access.

Virtual routers, or Virtual Routing and Forwarding (VRF) features, provide traffic separation by organizing network interfaces into independent groups. The traffic from one interface group cannot reach other interface groups.

Each virtual router has its own routing table. A virtual router's routing table can contain route records defined statically or obtained using dynamic routing protocols, such as BGP, OSPF, or RIP.

Different virtual routers are allowed to use the same IP networks (IP overlapping).

Network interfaces that have not been assigned explicitly to one of the virtual routers are automatically assigned to the Default virtual router.

Virtual routers have the following limitations:

  • These services can only be used in the default virtual router:

  • WCCP

  • ICAP

  • DNS

  • Authorization

  • Any network traffic that is generated by the device itself, such as license checks, update downloads, log uploads, sending email/SMS messages, SNMP traps, etc.

  • The NAT, DNAT, and port forwarding rules apply to all virtual routers.

  • The zones are global --- that is, the zone settings and interface-to-zone mappings apply to all virtual routers.

Note The default virtual router is required for the correct operation of NGFW. It is used to check licenses, download updates, and provide DNS services.

To add a virtual router, follow these steps:

Note! These prefixes cannot be used in the name of a virtual router: port, gre, egress, ingress, tun, tap, erspan, ppp, bond, bridge, pimreg.

Name

Description

Step 1. Create a new virtual router.

In the Network ➜ Virtual routers section, click "Add" and provide a name and description for the new virtual router. Specify the name of the cluster node on which this virtual router is being created, if you have a cluster.

Step 2. Add network interfaces to the newly created virtual router.

On the Interfaces tab, select the network interfaces that should be added to this virtual router. Interfaces that are already added to other virtual routers are not available for selection; any single interface can only belong to one virtual router. All types of interfaces, including physical, virtual (VLAN), bond, VPN, and others can be added to a virtual router.

Step 3. (Optional) Add static routes.

Add the routes (except the default route) that will be applied to the traffic in this virtual router. For more details, see the Static Routes section.

The default route is added in the Network ➜ Gateways section. For more details on configuring gateways, see the section Gateway Configuration.

Step 4. (Optional) Add dynamic routes obtained using the OSPF routing protocol.

Configure the OSPF protocol to build a dynamic route map. For more details, see the section OSPF.

Step 5. (Optional) Add dynamic routes obtained using the BGP routing protocol.

Configure the BGP protocol to build a dynamic route map. For more details, see the BGP section.

Step 6. (Optional) Add dynamic routes obtained using the RIP routing protocol.

Configure the RIP protocol to build a dynamic route map. For more details, see the RIP section.

Step 7. (Optional) Configure multicasting.

Configure the multicasting settings for this virtual router. For more details, see the Multicasting section.

Static Routes

This section describes how to specify a route to a network that is behind a specific router. For example, a local network can have a router that combines several IP subnets. The route is applied locally to the specific cluster node and virtual router where it is created.

To add a route, follow these steps:

Name

Description

Step 1. Select a virtual router.

If there are several virtual routers, select the desired one.

Step 2. Provide a name and description for the route.

In the Network ➜ Virtual routers section, select Static routes in the menu and click Add. Provide a name for the new route. Optionally, you can also provide a description for the route.

Step 3. Select the route type.

The following route types are available:

  • Unicast: the standard route type. Forwards the traffic destined for the specified address via the specified gateway.

  • Blackhole: drops the traffic without informing the source that the data did not reach the recipient.

  • Unreachable: drops the traffic. and sends the "Host unreachable" (type 3 code 1) ICMP message to the source.

  • Prohibit: drops the traffic. and sends the "Host unreachable" (type 3 code 13) ICMP message to the source.

Step 4. Specify the destination address.

Specify the subnet where the route will point to, such as 172.16.20.0/24 or 172.16.20.5/32.

Step 5. Specify the gateway.

Specify the IP address of the gateway through which the above subnet will be accessible. This IP address must be reachable from NGFW.

Step 6. Specify the network interface.

Specify the network interface through which the route will be added. If you keep the default value, Automatically, NGFW will determine the interface based on the IP address settings of the available network interfaces.

Step 7. Specify the metric.

Specify the metric for the route. The lower the metric value, the higher the route's priority, if there are multiple routes to this network.

Dynamic Routing Protocols

Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers.

Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically.

Note If static gateways are configured in the system, the default routes obtained using dynamic routing protocols are ignored.

NGFW supports three dynamic routing protocols: OSPF, BGP, and RIP.

OSPF

Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the OSPF protocol is configured.

OSPF (Open Shortest Path First) is a dynamic routing protocol based on the link-state monitoring technology and using Dijkstra's algorithm to find the shortest path.

The OSPF protocol disseminates information on the available routes among the routers that operate within a single autonomous system (AS). For more details on how the OSPF protocol works, see the relevant technical documentation.

Note When OSPF is used in an Active-Passive HA cluster, a node with the slave role automatically assigns a cost to all its interfaces and redistribution lists that is twice as high as that set on the node. This ensures that the master node has the priority in traffic routing.

To configure OSPF in NGFW, follow these steps:

Name

Description

Step 1. Select a virtual router.

If there are several virtual routers, select the desired one.

Step 2. Enable the OSPF router.

In the NGFW console, go to the Network→Virtual routers section, select OSPF in the menu, and configure the OSPF router.

To configure an OSPF router, provide the following settings:

Name

Description

Enabled

Enables or disables this OSPF router.

Router ID

The router's IP address. Must be unique and specified in IPv4 format (for convenience, it can match one of the IP addresses assigned to the NGFW network interfaces that belong to this virtual router).

Redistribute

Distribute routes towards networks directly connected to NGFW (connected) or static routes added by the administrator for this virtual router (kernel) to other OSPF routers.

Metric

Set a metric for the distributed routes.

Default originate

Notify other routers that this router has a default route.

To configure OSPF interfaces, provide these settings:

Name

Description

Enabled

Enable or disable the interface.

Interface

Select one of the existing interfaces on which OSPF will run. Only the interfaces belonging to this virtual router are available for selection.

Network type

Select a network type to optimize the adjacency establishment process. The following settings are available:

  • Not specified.

  • Broadcast.

  • Point-to-point.

  • Point-to-multipoint.

Passive mode

Enable/disable the passive operating mode of the interface, in which routing protocol update packets are prohibited from being sent through the interface.

Cost

The link cost for this interface. This value is reported in the LSA (link-state advertisement) to the neighboring routers which use it to compute the shortest path. Default value: 1.

Priority

An integer in the range from 0 to 255. The higher the value, the higher the probability that this router will become the network's designated router for sending out LSAs. A value of 0 excludes the router from being designated. Default value: 1.

Hello interval

The time interval in seconds between hello packets sent by the router. This should be the same for all routers in an autonomous system. The default value is 10 seconds.

Dead interval

The time interval in seconds after which the neighboring router is considered offline. The time is counted from the moment of receiving the last hello packet from the neighboring router. The default value is 40 seconds.

Retransmit interval

The time interval before LSA packet retransmission. The default value is 5 seconds.

Transmit delay

The approximate time it takes to deliver a link state update to the neighboring routers. The default value is 1 second.

Bfd profile

Defines BFD settings for OSPF monitoring. This makes it possible for the corresponding BFD session connection events to instantly update the OSPF interface status.
For more details, see the BFD Profiles section.

Authentication

Enabled

Turns on mandatory authentication for each OSPF message received by the router. Authentication is normally used to prevent the injection of a fake route from illegitimate routers.

Authentication type

The options are:

  • Plain: send the key in plain text for router authentication. A value must be provided for the Key field.

  • Digest: use an MD5 hash of the key to authenticate OSPF packets. The values of Key and MD5 key ID must be provided. For authentication to work correctly, these parameters must be identical on all routers.

The Key value can only include Latin letters, numbers, and the underscore character. Maximum length: 16 characters.

To configure OSPF areas, provide these settings:

Name

Description

Enabled

Enables or disables this area.

Name

The area name.

Cost

The cost of an LSA announced in the stub area.

Area ID

The ID for the area. The ID can be specified in decimal format or IP address record format. The area ID must match to establish an OSPF adjacency.

Authorization type

The options are:

  • None: do not require OSPF packet authorization.

  • Plain: transmit the key as plain text to authenticate OSPF packets. The key specified in the interface settings is used.

  • Digest: use an MD5 hash of the key to authenticate OSPF packets. The key specified in the interface settings is used.

The interface-level authentication takes precedence over zone-level authorization.

Area type

Defines the type of the area. The following area types are supported:

  • Normal: a normal area created by default. This zone receives link updates, summary routes, and external routes.

  • Stub: a stub area. Does not receive information on routes external to the autonomous system but receives routes from other areas. If routers from a stub area need to send information outside of the autonomous system, they use the default route. An ASBR cannot reside in a stub area.

  • NSSA: Not-so-stubby. A NSSA area defines an additional type of LSA, LSA type 7. A boundary router (ASBR) can be located in the NSSA zone.

No summary

Prohibits injecting summarized routes into stub-type areas.

Interfaces

Select the OSPF interfaces on which this area will be available.

Virtual links

This is a special type of connection that makes it possible, for example, to interconnect a partitioned area or connect an area to the backbone area via another area. It is configured between two ABRs.

Routers can transmit OSPF packets encapsulated in IP packets over such links. This mechanism is used as a temporary solution or as a backup in case the primary connections fail.

You can specify the IDs of the routers available via this zone.

BGP

Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the BGP protocol is configured.

BGP (Border Gateway Protocol) --- динамический протокол маршрутизации, относится к классу протоколов маршрутизации внешнего шлюза (англ. EGP --- External Gateway Protocol). Currently, it is the main dynamic routingprotocol used on the Internet. The BGP protocol is designed to exchange routing and reachability information among autonomous systems (AS), which are groups of routers with common technical management and administration that use intra-domain routing protocols to determine routes within a group and an inter-domain routing protocol to determine routes for packet delivery to other ASs. The information transmitted includes the list of ASs that can be accessed via this system. The best routes are selected based on the rules that are in place in the network. For more details on how the BGP protocol works, see the relevant technical documentation.

To configure BGP in NGFW, follow these steps:

Name

Description

Step 1. Select a virtual router.

If there are several virtual routers, select the desired one.

Step 2. Enable the BGP router.

In the NGFW console, go to the Network→Virtual routers section, select BGP in the menu, and configure the BGP router.

Step 3. Specify the filters and optional routemaps to limit the number of routes to receive.

In the Filters section, click Add and configure the Routemap and filter settings. Add as many routemaps/filters as required for BGP to work in your organization.

Step 4. Add at least one BGP neighbor (peer).

In the Neighbors section, click Add and configure the router settings for the neighboring AS. Add as many neighbors as required.

Important! RFC 8212 includes a mandatory requirement that export and import filters be added for each neighbor. Without import filters, the router will not receive routes from that neighbor, and without export filters, the router will not advertise routes to that neighbor.

If several IP addresses are assigned to the NGFW interface from which the connection to a neighbor is being established, then in absence of a NAT rule that force-assigns a source address to the BGP session with this neighbor, you need to specify the primary IP address (i.e., the one listed first in the interface settings) as the NGFW address when configuring the BGP neighbor.

To configure a BGP router, provide the following settings:

Name

Description

Enabled

Enables or disables this BGP router.

Router ID

The router's IP address. Must match one of the IP addresses assigned to the NGFW network interfaces that belong to this virtual router.

AS number

An autonomous system is a system of IP networks and routers managed by one or more operators that have a single routing policy. The autonomous system number identifies the router as belonging to that system.

Redistribute

Enables the routes towards networks directly connected to NGFW, static routes added by the administrator for this virtual router (kernel), or routes received using the OSPF protocol to be distributed to other BGP routers.

Multiple path

Enables traffic load balancing to routes with identical cost.

Networks

The list of networks that belong to this AS.

To add BGP neighbors, click Add and provide these settings:

Name

Description

Enabled

Enables or disables this neighbor.

Host

The neighbor's IP address.

Description

An arbitrary description for the neighbor.

Remote ASN

The neighbor's AS number.

Weight

The weight assigned to route data received from this neighbor.

TTL

The maximum allowed number of hops to this neighbor.

Bfd profile

Configure BGP monitoring using the BFD profile to enable faster detection of connection faults.

For more information on configuring BFD, see BFD Profiles.

Announce self as next hop for BGP

Replace the next-hop-self value with own IP address, if the neighbor uses BGP.

Multihop for eBGP

Indicates that the connection to this neighbor is indirect (more than a single hop).

Route reflector client

Indicates if the neighbor is a route reflector client.

Soft reconfiguration

Use soft reconfiguration (without terminating connections) for configuration updates.

Default originate

Advertise the default route to this neighbor.

Authentication

Enables authentication for this neighbor. The authentication password is set here.

BGP neighbor filters

Limits the route information received from the neighbors or advertised to them.

Routemaps

Routemaps are used to manage routing tables and specify the match conditions under which routes are passed between domains.

A routemap allows filtering of routes on redistribution and modification of various route attributes. To create a routemap, provide the following settings:

Name

Description

Name

The routemap name.

Action

Sets the action for this routemap. Can take the following values:

  • Allow: allows data that matches the routemap conditions.

  • Block: blocks data that matches the routemap conditions.

Match by

Routemap conditions. Can take the following values:

  • IP If this condition is selected, go to the IP addresses tab and add all required IP addresses for the condition.

  • AS path. If this condition is selected, go to the AS path tab and add all required AS numbers for the condition. POSIX 1003.2 regular expressions are allowed, supplemented by the underscore (_) character that is interpreted as:

  • A space

  • A comma

  • Start of line

  • End of line

  • AS set delimiter { and }

  • AS confederation delimiter ( and ).

  • Community. If this condition is selected, go to the Community tab and add all required BGP community strings for the condition.

Set next hop

Set the next hop value for the filtered routes to this IP address.

Set weight

Set the weight for the filtered routes to this value.

Set metric

Set the metric for the filtered routes to this value.

Set preference

Set the preference for the filtered routes to this value.

Set AS prepend

Set the AS-prepend value, which is a list of autonomous systems added for this route.

Community

Set the BGP community value for the filtered routes.

Filters allow you to filter routes when redistributing. To create a filter, provide the following settings:

Name

Description

Name

The filter name.

Action

Sets the action for this filter. Can take the following values:

  • Allow: allows data that matches the filter conditions.

  • Block: blocks data that matches the filter conditions.

Filter by

Filter conditions. Can take the following values:

  • IP IP Если выбрано данное условие, то в закладке IP-адреса надо добавить все необходимые IP-адреса для данного условия. The addresses can be specified in the following formats:

    • 10.0.0.0/8 for the 10.0.0.0/8 subnet only

    • 10.0.0.0/8::11 for routes where the first octet is 10 and the prefix is from 8 to 11

    • 10.0.0.0/8:11:13 for routes where the first octet is 10 and the prefix is from 11 to 13.

  • AS path. If this condition is selected, go to the AS path tab and add all required AS numbers for the condition.

RIP

Dynamic routing protocols are used to signal which networks are currently connected to each of the routers. Routers communicate using routing protocols. NGFW updates the kernel routing table in accordance with the information it receives from the neighboring routers. Dynamic routing does not change how the kernel performs routing at the IP layer. The kernel keeps looking up routes to hosts and networks as well as default routes in its routing table. The only thing that changes is how routes are managed in the routing table: instead of the manual method, they are added and removed dynamically. Routes are only added to the virtual router in which the RIP protocol is configured.

RIP (Routing Information Protocol) is a distance-vector routing protocol that uses intermediate sections (hops) as a routing metric. For more details on how the RIP protocol works, see the relevant technical documentation.

To configure RIP in NGFW, follow these steps:

Name

Description

Step 1. Select a virtual router.

If there are several virtual routers, select the desired one.

Step 2. Enable the RIP router.

In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and configure the RIP router.

Step 3. Specify the RIP networks.

In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and specify the RIP networks for which the RIP protocol will be used.

Step 4. Configure the RIP interfaces.

In the NGFW console, go to the Network ➜ Virtual routers section, select RIP in the menu, and configure the RIP interfaces.

To configure an RIP router, provide the following settings:

Name

Description

Enabled

Enables or disables this RIP router.

RIP version

Specifies the RIP protocol version. Normally, v2 is used.

Default metric

The route cost. The metric is normally equal to 1 and cannot exceed 15.

Administrative distance

The cost of routes received using the RIP protocol. Default value for RIP protocol: 120. This is used for route selection when routes can be received using multiple methods (OSPF, BGP, static).

Default originate

Notify other routers that this router has a default route.

A RIP router will send routing updates only from the interfaces for which RIP networks are specified. At least one network must be specified for the protocol to work correctly. The administrator can specify the RIP network using the CIDR notation, such as 192.168.1.0/24, or select the network interface from which updates will be sent.

To configure RIP interfaces, provide these settings:

Name

Description

Interface

Select the interface that will be used for RIP routing. Only the interfaces belonging to this virtual router are available for selection.

Send version

Specify the RIP protocol version that the router will send.

Receive version

Specify the RIP protocol version that the router will receive.

Password

The authorization string that will be sent and received in RIP packets. All routes participating in RIP information exchange must have an identical password.

Split horizon

A method of preventing routing loops where the router does not send network information via the interface on which the update was received.

Poison reverse

A method of preventing routing loops where the router sets a route cost of 16 and sends it to the neighbor from which it was received.

Passive mode

Sets an operating mode where the interface receives RIP updates but does not send them.

In the route redistribution settings, you can specify which routes need to be sent to the neighbors. Redistribution can be enabled for routes received using the OSPF and BGPG dynamic routing protocols, routes directly connected to the NGFW network (connected), and routes added by the administrator in the Routes section (kernel).

Multicasting

The IP multicast technology enables a significant reduction in the amount of network traffic by delivering a single information stream to thousands and even larger numbers of consumers, which is especially efficient for voice and video traffic delivery. The traditional traffic delivery methods are unicast (point-to-point) and broadcast. Multicast allows delivery of traffic to a group of hosts, called a multicast group. The recipient hosts that want to receive this traffic must join (become members of) the corresponding multicast group. To add hosts to a multicast group, the Internet Group Management Protocol (IGMP) is used. A multicast group is identified by its multicast address. For multicast addresses, a Class D subnet is reserved with the most significant 4 bits set to 1110. Thus, the address range for multicasting is defined as 224.0.0.0 --- 239.255.255.255.

Routers need to provide efficient traffic delivery from the multicast source to the recipients. For that purpose, the Protocol Independent Multicast (PIM) is used in routers.

Routers in a multicast environment can have one of the three roles: First Hop Router (FHR), Rendezvous Point (RP), and Last Hop Router (LHR). The FHR is located closest to the multicast source and is responsible for registering the source in the network. The RP is a catalog of available multicast sources for the Any Source Multicast (ASM) mode. The LHR is located closest to the multicast recipient. Clients (multicast recipients) in local networks connected to the LHR use the IGMP protocol to register in the multicast group of interest by sending an IGMP membership report message.

NGFW can be used as an LHR for the local networks connected to it. For client (recipient) registration, NGFW supports the IGMPv3 and IGMPv2 protocols.

For communicating with other multicast routers, NGFW can only use the PIM Sparse Mode (PIM-SM). This is a mode where multicast traffic is sent only to those recipients that have explicitly requested it. The recipients must periodically confirm their desire to receive multicast traffic.

NGFW supports the Source Specific Multicast (SSM) mode and Any Source Multicast (ASM) modes.

Source Specific Multicast (SSM) is used when the recipient of the traffic explicitly specifies a multicast source known to it. In this mode, addresses are written as follows:

rtp://<src_ip>@<group_address>:<port>, where src_ip is the multicast source address, group_address is the multicast group address, and port is the port. Example: rtp://10.10.10.10@239.0.0.5:4344

In Any Source Multicast (ASM) mode, the multicast recipient specifies the multicast group from which it wants to receive multicast traffic. For this mode to work, a Rendezvous Point (RP) router is required. The RP determines the multicast source for this multicast group and this recipient, and then the source and recipient choose the best network path for sending this multicast traffic. In this mode, addresses are written as follows:

rtp://@<group_address>:<port>, where group_address is the multicast group address and port is the port. Example: rtp://@239.0.0.5:4344

To configure NGFW as an LHR multicast router, follow these steps:

Name

Description

Step 1. Configure a multicast router.

In the NGFW console, go to the Network ➜ Virtual routers section, select Multicast router in the menu, and configure it.

Step 2. Specify the interfaces on which this router will work.

Select the interface that will be used for multicasting. Only the interfaces belonging to this virtual router are available for selection.

Step 3. (Optional) Define the Rendezvous points for ASM.

In the NGFW console, go to the Network ➜ Virtual routers section, select Rendezvous points in the menu, and specify the addresses of the rendezvous points.

Step 4. (Optional) Set the desired restrictions on the available multicast groups for ASM.

In the NGFW console, go to the Network ➜ Virtual routers section, select Rendezvous points in the menu, go to the ASM allowed groups tab, and specify the addresses of the allowed multicast groups. If you leave the list empty, all multicast group addresses will be allowed.

Step 5. (Optional) Set the desired restrictions on the available multicast groups for SSM.

In the NGFW console, go to the Network ➜ Virtual routers section, select SSM allowed groups in the menu, and specify the addresses of the allowed multicast groups. If you leave the list empty, all multicast group addresses will be allowed.

When configuring a multicast router, you can provide these settings:

Name

Description

Enabled

Enables or disables the multicast router in this virtual router.

Use ECMP

Enables multi-path traffic distribution using the Equal Cost Multi Path (ECMP) technology. Requires that several routes exist to the network node of interest. If this option is disabled, all traffic to a specific destination host will be sent through only one of the routers (next hop).

Use ECMP rebalance

If this option is enabled and one of the interfaces used for sending traffic has gone offline, all existing streams will be redistributed between the remaining routes (next hop). If disabled, only those streams will be redistributed which were sent via the now-offline interface.

JOIN/PRUNE time (sec)

The time interval in seconds (60-600) used to send messages to the PIM neighbors about multicast groups from which the router wants or no longer wants to receive traffic.

Multicast register suppress time (sec)

The time interval in seconds (5-60,000) after which the router sends a register suppress message.

Keep-alive time (sec)

The time interval in seconds (31-60,000) which the router will use to send keepalive messages to neighbors as well as the time to wait before considering the neighbor unavailable.

When configuring interfaces, you can provide these settings:

Name

Description

Enabled

Enables or disables multicasting on this interface.

Interface

Select the interface that will be used for multicasting. Only the interfaces belonging to this virtual router are available for selection.

Multicast HELLO sending timeout (sec)

The time interval in seconds (1-180) used to send PIM HELLO messages. These messages are sent periodically from all interfaces on which multicasting is enabled. These messages let the router know about neighbor routers that support multicasting.

DR selection priority

The router's priority (1-4294967295) in the selection of a Designated router (DR). The administrator can use this to manage DR selection for the local network.

Enable IGMP

Receive IGMP report and IGMP query messages on this interface.

Use IGMPv2

Use version 2 of IGMP. By default, version 3 (IGMP v3) is used.

When configuring Rendezvous points, you can specify the following parameters:

Name

Description

Enabled

Enables or disables this RP.

Name

The RP name.

IP address

The unicast IP address of this RP.

Allowed ASM groups

The list of allowed multicast group addresses for any-source multicast from this RP. Any networks in the range 224.0.0.0/4. If empty, there are no restrictions.

Allowed SSM groups: specifies the list of allowed multicast group addresses for source-specific multicast. Any networks from the range 232.0.0.0/8 can be specified. If empty, there are no restrictions.

SPT exclusions: specifies the list of IPv4 multicast groups excluded from switching to the shortest path tree.