Configure IP Multicast
Configure a virtual router on the firewall to receive and forward IP multicast traffic by configuring the interfaces: PIM on ingress and egress interfaces, and IGMP on receiver-facing interfaces.
Configure interfaces on a virtual router of a Palo Alto Networks® firewall to receive and forward IP multicast packets. You must enable IP multicast for the virtual router, configure Protocol Independent Multicast (PIM) on the ingress and egress interfaces, and configure Internet Group Management Protocol (IGMP) on receiver-facing interfaces.
- Enable IP multicast for a virtual router.
- Selectand select a virtual router.NetworkVirtual Routers
- SelectMulticastandEnableIP multicast.
- (ASM only) If the multicast domain in which the virtual router is located uses Any-Source Multicast (ASM), identify and configure the local and remote rendezvous points (RPs) for multicast groups.
- SelectRendezvous Point.
- Select a LocalRP Type, which determines how the RP is chosen (the options areStatic,Candidate, orNone):
- Static—Establishes a static mapping of an RP to multicast groups. Configuring a static RP requires you to explicitly configure the same RP on other PIM routers in the PIM domain.
- Select theRP Interface. Valid interface types are Layer3, virtual wire, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
- Select theRP Address. The IP addresses of the RP interface you selected populate the drop-down.
- SelectOverride learned RP for the same groupso that this static RP serves as RP instead of the RP elected for the groups in the Group List.
- Addone or more multicastGroupsfor which the RP acts as the RP.
- Candidate—Establishes a dynamic mapping of an RP to multicast groups based on priority so that each router in a PIM domain automatically elects the same RP.
- Select theRP Interfaceof the candidate RP. Valid interface types are Layer 3, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
- Select theRP Addressof the candidate RP. The IP addresses for the RP interface you selected populate the drop-down.
- (Optional) Change thePriorityfor the candidate RP. The firewall compares the priority of the candidate RP to the priority of other candidate RPs to determine which one acts as RP for the specified groups; the firewall selects the candidate RP with the lowest priority value (range is 0 to 255; default is 192).
- (Optional) Change theAdvertisement Interval (sec)(range is 1 to 26,214; default is 60).
- Enter aGroup Listof multicast groups that communicate with the RP.
- None—Select if this virtual router is not an RP.
- Adda Remote Rendezvous Point and enter theIP Addressof that remote (external) RP.
- Addthe multicastGroup Addressesfor which the specified remote RP address acts as RP.
- SelectOverride learned RP for the same groupso that the external RP you configured statically serves as RP instead of an RP that is dynamically learned (elected) for the groups in the Group Addresses list.
- Specify a group of interfaces that share a multicast configuration (IGMP, PIM, and group permissions).
- On theInterfacestab,AddaNamefor the interface group.
- Enter aDescription.
- AddanInterfaceand select one or more Layer 3 interfaces that belong to the interface group.
- (Optional) Configure multicast group permissions for the interface group. By default, the interface group accepts IGMP membership reports and PIM join messages from all groups.
- SelectGroup Permissions.
- To configure Any-Source Multicast (ASM) groups for this interface group, in the Any Source window,AddaNameto identify a multicast group that accepts IGMP membership reports and PIM join messages from any source.
- Enter the multicastGroupaddress or group address and /prefix that can receive multicast packets from any source on these interfaces.
- SelectIncludedto include the ASMGroupaddress in the interface group (default). De-selectIncludedto easily exclude an ASM group from the interface group, such as during testing.
- Addadditional multicastGroups(for the interface group) that want to receive multicast packets from any source.
- To configure Source-Specific Multicast (SSM) groups in this interface group, in the Source Specific window,AddaNameto identify a multicast group and source address pair. Don’t use a name that you used for Any Source multicast. (You must use IGMPv3 to configure SSM.)
- Enter the multicastGroupaddress or group address and /prefix of the group that wants to receive multicast packets from the specified source only (and can receive the packets on these interfaces).A Source Specific group for which you specify permissions is a group that the virtual router must treat as source-specific. ConfigureSource Specific Address Space(Step 9) that includes the source-specific groups for which you configured permission.
- Enter theSourceIP address from which this multicast group can receive multicast packets.
- SelectIncludedto include the SSM Group and source address pair in the interface group (default). De-selectIncludedto easily exclude the pair from the interface group, such as during testing.
- Addadditional multicastGroups(for the interface group) that receive multicast packets from a specific source only.
- Configure IGMP for the interface group if an interface faces multicast receivers, which must use IGMP to join a group.
- On theIGMPtab,EnableIGMP (default).
- Specify IGMP parameters for interfaces in the interface group:
- IGMP Version—1,2, or3(default).
- Robustness—A variable that the firewall uses to tune the Group Membership Interval, Other Querier Present Interval, Startup Query Count, and Last Member Query Count (range is 1 to 7; default is 2). Increase the value if the subnet on which this firewall is located is prone to losing packets.
- Max Sources—Maximum number of sources that IGMP can process simultaneously for an interface (range is 1 to 65,535; default isunlimited).
- Max Groups—Maximum number of groups that IGMP can process simultaneously for an interface (range is 1 to 65,535; default isunlimited).
- Query Interval—Number of seconds between IGMP membership Query messages that the virtual router sends to a receiver to determine whether the receiver still wants to receive the multicast packets for a group (range is 1 to 31,744; default is 125).
- Max Query Response Time (sec)—Maximum number of seconds allowed for a receiver to respond to an IGMP membership Query message before the virtual router determines that the receiver no longer wants to receive multicast packets for the group (range is 0 to 3,174.4; default is 10).
- Last Member Query Interval (sec)—Number of seconds allowed for a receiver to respond to a Group-Specific Query that the virtual router sends after a receiver sends a Leave Group message (range is 0.1 to 3,174.4; default is 1).
- Immediate Leave(disabled by default)—When there is only one member in a multicast group and the virtual router receives an IGMP Leave message for that group, the Immediate Leave setting causes the virtual router to remove that group and outgoing interface from the multicast routing information base (mRIB) and multicast forwarding information base (mFIB) immediately, rather than waiting for the Last Member Query Interval to expire. The Immediate Leave setting saves network resources. You cannot select Immediate Leave if the interface group uses IGMPv1.
- Configure PIM Sparse Mode (PIM-SM) for the interface group.
- On thePIMtab,EnablePIM (enabled by default).
- Specify PIM parameters for the interface group:
- Assert Interval—Number of seconds between PIM Assert messages that the virtual router sends to other PIM routers on the multiaccess network when they are electing a PIM forwarder (range is 0 to 65,534; default is 177).
- Hello Interval—Number of seconds between PIM Hello messages that the virtual router sends to its PIM neighbors from each interface in the interface group (range is 0 to 18,000; default is 30).
- Join Prune Interval—Number of seconds between PIM Join messages (and between PIM Prune messages) that the virtual router sends upstream toward a multicast source (range is 0 to 18,000; default is 60).
- DR Priority—Designated Router (DR) priority that controls which router in a multiaccess network forwards PIM Join and Prune messages to the RP (range is 0 to 429,467,295; default is 1). The DR priority takes precedence over IP address comparisons to elect the DR.
- BSR Border—Select this option if the interfaces in the interface group are on a virtual router that is the BSR located at the border of an enterprise LAN. This will prevent RP candidacy BSR messages from leaving the LAN.
- Addone or morePermitted PIM Neighborsby specifying theIP Addressof each router from which the virtual router accepts multicast packets.
- ClickOKto save the interface group settings.
- (Optional) Change the Shortest-Path Tree (SPT) threshold, as described in Shortest-Path Tree (SPT) and Shared Tree.
- SelectSPT ThresholdandAddaMulticast Group/Prefix, the multicast group or prefix for which you are specifying the distribution tree.
- Specify theThreshold (kb)—The point at which routing to the specified multicast group or prefix switches from shared tree (sourced from the RP) to SPT distribution:
- 0 (switch on first data packet)(default)—The virtual router switches from shared tree to SPT for the group or prefix when the virtual router receives the first data packet for the group or prefix.
- never (do not switch to spt)—The virtual router continues to use the shared tree to forward packets to the group or prefix.
- Enter the total number of kilobits from multicast packets that can arrive for the multicast group or prefix at any interface and over any time period, upon which the virtual router changes to SPT distribution for that multicast group or prefix.
- Identify the multicast groups or groups and prefixes that accept multicast packets only from a specific source.
- SelectSource Specific Address SpaceandAddtheNamefor the space.
- Enter the multicastGroupaddress with prefix length to identify the address space that receives multicast packets from a specific source. If the virtual router receives a multicast packet for an SSM group but the group is not covered by aSource Specific Address Space, the virtual router drops the packet.
- SelectIncludedto include the source-specific address space as a multicast group address range from which the virtual router will accept multicast packets that originated from an allowed specific source. De-selectIncludedto easily exclude a group address space for testing.
- Add other source-specific address spaces to include all those groups for which you specified SSM group permission.
- (Optional) Change the length of time that a multicast route remains in the mRIB after the session ends between a multicast group and a source.
- Select theAdvancedtab.
- Specify theMulticast Route Age Out Time (sec)(range is 210 to 7,200; default is 210).
- ClickOKto save the multicast configuration.
- Create a Security policy rule to allow multicast traffic to the destination zone.
- Create a Security Policy Rule and on theDestinationtab, selectmulticastoranyfor theDestination Zone. Themulticastzone is a predefined Layer 3 zone that matches all multicast traffic. TheDestination Addresscan be a multicast group address.
- Configure the rest of the Security policy rule.
- (Optional) Enable buffering of multicast packets before a route is set up.
- Selectand edit Session Settings.DeviceSetupSession
- EnableMulticast Route Setup Buffering(disabled by default). The firewall can preserve the first packet(s) from a multicast flow if an entry for the corresponding multicast group does not yet exist in the multicast forwarding table (mFIB). TheBuffer Sizecontrols how many packets the firewall buffers from a flow. After the route is installed in the mFIB, the firewall automatically forwards the buffered first packet(s) to the receiver. (You need to enable multicast route setup buffering only if your content servers are directly connected to the firewall and your multicast application cannot withstand the first packet of the flow being dropped.)
- (Optional) Change theBuffer Size. Buffer size is the number of packets per multicast flow that the firewall can buffer until the mFIB entry is set up (range is 1 to 2,000; default is 1,000). The firewall can buffer a maximum of 5,000 packets total (for all flows).
- Commityour changes.
- View IP Multicast Information to view mRIB and mFIB entries, IGMP interface settings, IGMP group memberships, PIM ASM and SSM modes, group mappings to RPs, DR addresses, PIM settings, PIM neighbors, and more.
- If you Configure a Static Route for multicast traffic, you can install the route only in the multicast routing table (not the unicast routing table) so that the route is used for multicast traffic only.
- If you enable IP multicast, it is not necessary to Configure BGP with MP-BGP for IPv4 Multicast unless you have a logical multicast topology separate from a logical unicast topology. You configure MP-BGP extensions with the IPv4 address family and multicast subsequent address family only when you want to advertise multicast source prefixes into BGP under multicast subsequent address family.
PIM Sparse Mode supports Any-Source Multicast (ASM) and Source-Specific Multicast (SSM); ASM requires a rendezvous point (RP). Configure PIM on ingress and egress interfaces for ...
PIM uses reverse-path forwarding (RPF) to prevent routing loops and to build a shortest-path tree from the receiver back to the multicast source. ...
A virtual router supports IP multicast so that it can participate in multicast protocols (IGMP and PIM) and forward multicast traffic from a source to ...
Shortest-Path Tree (SPT) and Shared Tree
IP Multicast constructs shortest-path tree (SPT) and shared tree distribution paths to forward multicast packets to members of a group. ...
Multicast Interfaces Tab
Multicast Interfaces Tab Network > Virtual Router > Multicast > Interfaces Use the following fields to configure multicast interfaces that share IGMP, PIM and group ...
Configure IGMP for interfaces on a virtual router that are facing receivers to enable receivers to join multicast groups and to enable the virtual router ...
View IP Multicast Information
View IP multicast routes the virtual router uses, IGMP interfaces and settings, and PIM information and settings. ...
PIM Assert Mechanism
PIM uses an Assert mechanism to elect a PIM Forwarder of multicast packets on a multiaccess network, which prevents forwarding of duplicate multicast packets. ...
Multicast SPT Threshold Tab
Multicast SPT Threshold Tab Network > Virtual Router > Multicast > SPT Threshold The Shortest Path Tree (SPT) threshold defines the point at which the ...