Configure IP Multicast
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure IP Multicast
Configure a virtual router on the firewall to receive
and forward IP multicast traffic by configuring the interfaces:
PIM on ingress and egress interfaces, and IGMP on receiver-facing
interfaces.
Configure interfaces on a virtual router of
a Palo Alto Networks® firewall to receive and forward IP Multicast packets. You must enable IP multicast for
the virtual router, configure Protocol Independent Multicast (PIM)
on the ingress and egress interfaces, and configure Internet Group Management
Protocol (IGMP) on receiver-facing interfaces.
- Enable IP multicast for a virtual router.
- Select NetworkVirtual Routers and select a virtual router.
- Select Multicast and Enable IP multicast.
- (ASM only) If the multicast domain in which
the virtual router is located uses Any-Source Multicast (ASM), identify
and configure the local and remote rendezvous points (RPs) for multicast
groups.
- Select Rendezvous Point.
- Select a Local RP Type, which
determines how the RP is chosen (the options are Static, Candidate,
or None):
- Static—Establishes a static mapping of an RP to multicast groups. Configuring a static RP requires you to explicitly configure the same RP on other PIM routers in the PIM domain.
- Select the RP Interface. Valid interface types are Layer3, virtual wire, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
- Select the RP Address. The IP addresses of the RP interface you selected populate the list.
- Select Override learned RP for the same group so that this static RP serves as RP instead of the RP elected for the groups in the Group List.
- Add one or more multicast Groups for which the RP acts as the RP.
- Candidate—Establishes a dynamic mapping of an RP to multicast groups based on priority so that each router in a PIM domain automatically elects the same RP.
- Select the RP Interface of the candidate RP. Valid interface types are Layer 3, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
- Select the RP Address of the candidate RP. The IP addresses for the RP interface you selected populate the list.
- (Optional) Change the Priority for the candidate RP. The firewall compares the priority of the candidate RP to the priority of other candidate RPs to determine which one acts as RP for the specified groups; the firewall selects the candidate RP with the lowest priority value (range is 0 to 255; default is 192).
- (Optional) Change the Advertisement Interval (sec) (range is 1 to 26,214; default is 60).
- Enter a Group List of multicast groups that communicate with the RP.
- None—Select if this virtual router is not an RP.
- Add a Remote Rendezvous Point and enter the IP Address of that remote (external) RP.
- Add the multicast Group Addresses for which the specified remote RP address acts as RP.
- Select Override learned RP for the same group so that the external RP you configured statically serves as RP instead of an RP that is dynamically learned (elected) for the groups in the Group Addresses list.
- Click OK.
- Specify a group of interfaces that share a multicast
configuration (IGMP, PIM, and group permissions).
- On the Interfaces tab, Add a Name for the interface group.
- Enter a Description.
- Add an Interface and select one or more Layer 3 interfaces that belong to the interface group.
- (Optional) Configure multicast group permissions
for the interface group. By default, the interface group accepts
IGMP membership reports and PIM join messages from all groups.
- Select Group Permissions.
- To configure Any-Source Multicast (ASM) groups for this interface group, in the Any Source window, Add a Name to identify a multicast group that accepts IGMP membership reports and PIM join messages from any source.
- Enter the multicast Group address or group address and /prefix that can receive multicast packets from any source on these interfaces.
- Select Included to include the ASM Group address in the interface group (default). De-select Included to easily exclude an ASM group from the interface group, such as during testing.
- Add additional multicast Groups (for the interface group) that want to receive multicast packets from any source.
- To configure Source-Specific Multicast (SSM) groups in this interface group, in the Source Specific window, Add a Name to identify a multicast group and source address pair. Don’t use a name that you used for Any Source multicast. (You must use IGMPv3 to configure SSM.)
- Enter the multicast Group address
or group address and /prefix of the group that wants to receive
multicast packets from the specified source only (and can receive
the packets on these interfaces).A Source Specific group for which you specify permissions is a group that the virtual router must treat as source-specific. Configure Source Specific Address Space (Step 9) that includes the source-specific groups for which you configured permission.
- Enter the Source IP address from which this multicast group can receive multicast packets.
- Select Included to include the SSM Group and source address pair in the interface group (default). De-select Included to easily exclude the pair from the interface group, such as during testing.
- Add additional multicast Groups (for the interface group) that receive multicast packets from a specific source only.
- Configure IGMP for the interface group if an interface
faces multicast receivers, which must use IGMP to join a group.
- On the IGMP tab, Enable IGMP (default).
- Specify IGMP parameters
for interfaces in the interface group:
- IGMP Version—1, 2, or 3 (default).
- Enforce Router-Alert IP Option (disabled by default)—Select this option if you require incoming IGMP packets that use IGMPv2 or IGMPv3 to have the IP Router Alert Option, RFC 2113.
- Robustness—A variable that the firewall uses to tune the Group Membership Interval, Other Querier Present Interval, Startup Query Count, and Last Member Query Count (range is 1 to 7; default is 2). Increase the value if the subnet on which this firewall is located is prone to losing packets.
- Max Sources—Maximum number of sources that IGMP can process simultaneously for an interface (range is 1 to 65,535; default is unlimited).
- Max Groups—Maximum number of groups that IGMP can process simultaneously for an interface (range is 1 to 65,535; default is unlimited).
- Query Interval—Number of seconds between IGMP membership Query messages that the virtual router sends to a receiver to determine whether the receiver still wants to receive the multicast packets for a group (range is 1 to 31,744; default is 125).
- Max Query Response Time (sec)—Maximum number of seconds allowed for a receiver to respond to an IGMP membership Query message before the virtual router determines that the receiver no longer wants to receive multicast packets for the group (range is 0 to 3,174.4; default is 10).
- Last Member Query Interval (sec)—Number of seconds allowed for a receiver to respond to a Group-Specific Query that the virtual router sends after a receiver sends a Leave Group message (range is 0.1 to 3,174.4; default is 1).
- Immediate Leave (disabled by default)—When there is only one member in a multicast group and the virtual router receives an IGMP Leave message for that group, the Immediate Leave setting causes the virtual router to remove that group and outgoing interface from the multicast routing information base (mRIB) and multicast forwarding information base (mFIB) immediately, rather than waiting for the Last Member Query Interval to expire. The Immediate Leave setting saves network resources. You cannot select Immediate Leave if the interface group uses IGMPv1.
- Configure PIM Sparse Mode (PIM-SM) for the interface group.
- On the PIM tab, Enable PIM (enabled by default).
- Specify PIM parameters for the interface group:
- Assert Interval—Number of seconds between PIM Assert messages that the virtual router sends to other PIM routers on the multiaccess network when they are electing a PIM forwarder (range is 0 to 65,534; default is 177).
- Hello Interval—Number of seconds between PIM Hello messages that the virtual router sends to its PIM neighbors from each interface in the interface group (range is 0 to 18,000; default is 30).
- Join Prune Interval—Number of seconds between PIM Join messages (and between PIM Prune messages) that the virtual router sends upstream toward a multicast source (range is 1 to 18,000; default is 60).
- DR Priority—Designated Router (DR) priority that controls which router in a multiaccess network forwards PIM Join and Prune messages to the RP (range is 0 to 4,294,967,295; default is 1). The DR priority takes precedence over IP address comparisons to elect the DR.
- BSR Border—Select this option if the interfaces in the interface group are on a virtual router that is the BSR located at the border of an enterprise LAN. This will prevent RP candidacy BSR messages from leaving the LAN.
- Add one or more Permitted PIM Neighbors by specifying the IP Address of each router from which the virtual router accepts multicast packets.
- Click OK to save the interface group settings.
- (Optional) Change the Shortest-Path Tree (SPT) threshold,
as described in Shortest-Path
Tree (SPT) and Shared Tree.
- Select SPT Threshold and Add a Multicast Group/Prefix, the multicast group or prefix for which you are specifying the distribution tree.
- Specify the Threshold (kb)—The
point at which routing to the specified multicast group or prefix
switches from shared tree (sourced from the RP) to SPT distribution:
- 0 (switch on first data packet) (default)—The virtual router switches from shared tree to SPT for the group or prefix when the virtual router receives the first data packet for the group or prefix.
- never (do not switch to spt)—The virtual router continues to use the shared tree to forward packets to the group or prefix.
- Enter the total number of kilobits from multicast packets that can arrive for the multicast group or prefix at any interface and over any time period, upon which the virtual router changes to SPT distribution for that multicast group or prefix.
- Identify the multicast groups or
groups and prefixes that accept multicast packets only from a specific
source.
- Select Source Specific Address Space and Add the Name for the space.
- Enter the multicast Group address with prefix length to identify the address space that receives multicast packets from a specific source. If the virtual router receives a multicast packet for an SSM group but the group is not covered by a Source Specific Address Space, the virtual router drops the packet.
- Select Included to include the source-specific address space as a multicast group address range from which the virtual router will accept multicast packets that originated from an allowed specific source. De-select Included to easily exclude a group address space for testing.
- Add other source-specific address spaces to include all those groups for which you specified SSM group permission.
- (Optional) Change the length of time that a
multicast route remains in the mRIB after the session ends between
a multicast group and a source.
- Select the Advanced tab.
- Specify the Multicast Route Age Out Time (sec) (range is 210 to 7,200; default is 210).
- Click OK to save the multicast configuration.
- Create a Security policy rule to allow multicast traffic
to the destination zone.
- Create a Security Policy Rule and on the Destination tab, select multicast or any for the Destination Zone. The multicast zone is a predefined Layer 3 zone that matches all multicast traffic. The Destination Address can be a multicast group address.
- Configure the rest of the Security policy rule.
- (Optional) Enable buffering of multicast packets
before a route is set up.
- Select DeviceSetupSession and edit Session Settings.
- Enable Multicast Route Setup Buffering (disabled by default). The firewall can preserve the first packet(s) from a multicast flow if an entry for the corresponding multicast group does not yet exist in the multicast forwarding table (mFIB). The Buffer Size controls how many packets the firewall buffers from a flow. After the route is installed in the mFIB, the firewall automatically forwards the buffered first packet(s) to the receiver. (You need to enable multicast route setup buffering only if your content servers are directly connected to the firewall and your multicast application cannot withstand the first packet of the flow being dropped.)
- (Optional) Change the Buffer Size. Buffer size is the number of packets per multicast flow that the firewall can buffer until the mFIB entry is set up (range is 1 to 2,000; default is 1,000). The firewall can buffer a maximum of 5,000 packets total (for all flows).
- Click OK.
- Commit your changes.
- View IP Multicast Information to view mRIB and mFIB entries, IGMP interface settings, IGMP group memberships, PIM ASM and SSM modes, group mappings to RPs, DR addresses, PIM settings, PIM neighbors, and more.
- If you Configure a Static Route for multicast traffic, you can install the route only in the multicast routing table (not the unicast routing table) so that the route is used for multicast traffic only.
- If you enable IP multicast, it is not necessary to Configure BGP with MP-BGP for IPv4 Multicast unless you have a logical multicast topology separate from a logical unicast topology. You configure MP-BGP extensions with the IPv4 address family and multicast subsequent address family only when you want to advertise multicast source prefixes into BGP under multicast subsequent address family.