Configure IP Multicast

Configure a virtual router on the firewall to receive and forward IP multicast traffic by configuring the interfaces: PIM on ingress and egress interfaces, and IGMP on receiver-facing interfaces.
Configure interfaces on a virtual router of a Palo Alto Networks® firewall to receive and forward IP multicast packets. You must enable IP multicast for the virtual router, configure Protocol Independent Multicast (PIM) on the ingress and egress interfaces, and configure Internet Group Management Protocol (IGMP) on receiver-facing interfaces.
  1. Enable IP multicast for a virtual router.
    1. Select
      Network
      Virtual Routers
      and select a virtual router.
    2. Select
      Multicast
      and
      Enable
      IP multicast.
  2. (
    ASM only
    ) If the multicast domain in which the virtual router is located uses Any-Source Multicast (ASM), identify and configure the local and remote rendezvous points (RPs) for multicast groups.
    1. Select
      Rendezvous Point
      .
    2. Select a Local
      RP Type
      , which determines how the RP is chosen (the options are
      Static
      ,
      Candidate
      , or
      None
      ):
      • Static
        —Establishes a static mapping of an RP to multicast groups. Configuring a static RP requires you to explicitly configure the same RP on other PIM routers in the PIM domain.
        • Select the
          RP Interface
          . Valid interface types are Layer3, virtual wire, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
        • Select the
          RP Address
          . The IP addresses of the RP interface you selected populate the drop-down.
        • Select
          Override learned RP for the same group
          so that this static RP serves as RP instead of the RP elected for the groups in the Group List.
        • Add
          one or more multicast
          Groups
          for which the RP acts as the RP.
          multicast_local_static_rp.png
      • Candidate
        —Establishes a dynamic mapping of an RP to multicast groups based on priority so that each router in a PIM domain automatically elects the same RP.
        • Select the
          RP Interface
          of the candidate RP. Valid interface types are Layer 3, loopback, VLAN, Aggregate Ethernet (AE), and tunnel.
        • Select the
          RP Address
          of the candidate RP. The IP addresses for the RP interface you selected populate the drop-down.
        • (
          Optional
          ) Change the
          Priority
          for the candidate RP. The firewall compares the priority of the candidate RP to the priority of other candidate RPs to determine which one acts as RP for the specified groups; the firewall selects the candidate RP with the lowest priority value (range is 0 to 255; default is 192).
        • (
          Optional
          ) Change the
          Advertisement Interval (sec)
          (range is 1 to 26,214; default is 60).
        • Enter a
          Group List
          of multicast groups that communicate with the RP.
      • None
        —Select if this virtual router is not an RP.
    3. Add
      a Remote Rendezvous Point and enter the
      IP Address
      of that remote (external) RP.
    4. Add
      the multicast
      Group Addresses
      for which the specified remote RP address acts as RP.
    5. Select
      Override learned RP for the same group
      so that the external RP you configured statically serves as RP instead of an RP that is dynamically learned (elected) for the groups in the Group Addresses list.
    6. Click
      OK
      .
  3. Specify a group of interfaces that share a multicast configuration (IGMP, PIM, and group permissions).
    1. On the
      Interfaces
      tab,
      Add
      a
      Name
      for the interface group.
    2. Enter a
      Description
      .
    3. Add
      an
      Interface
      and select one or more Layer 3 interfaces that belong to the interface group.
  4. (
    Optional
    ) Configure multicast group permissions for the interface group. By default, the interface group accepts IGMP membership reports and PIM join messages from all groups.
    1. Select
      Group Permissions
      .
    2. To configure Any-Source Multicast (ASM) groups for this interface group, in the Any Source window,
      Add
      a
      Name
      to identify a multicast group that accepts IGMP membership reports and PIM join messages from any source.
    3. Enter the multicast
      Group
      address or group address and /prefix that can receive multicast packets from any source on these interfaces.
    4. Select
      Included
      to include the ASM
      Group
      address in the interface group (default). De-select
      Included
      to easily exclude an ASM group from the interface group, such as during testing.
    5. Add
      additional multicast
      Groups
      (for the interface group) that want to receive multicast packets from any source.
    6. To configure Source-Specific Multicast (SSM) groups in this interface group, in the Source Specific window,
      Add
      a
      Name
      to identify a multicast group and source address pair. Don’t use a name that you used for Any Source multicast. (You must use IGMPv3 to configure SSM.)
    7. Enter the multicast
      Group
      address or group address and /prefix of the group that wants to receive multicast packets from the specified source only (and can receive the packets on these interfaces).
      A Source Specific group for which you specify permissions is a group that the virtual router must treat as source-specific. Configure
      Source Specific Address Space
      (Step 9) that includes the source-specific groups for which you configured permission.
    8. Enter the
      Source
      IP address from which this multicast group can receive multicast packets.
    9. Select
      Included
      to include the SSM Group and source address pair in the interface group (default). De-select
      Included
      to easily exclude the pair from the interface group, such as during testing.
    10. Add
      additional multicast
      Groups
      (for the interface group) that receive multicast packets from a specific source only.
      multicast_asm_ssm_perm.png
  5. Configure IGMP for the interface group if an interface faces multicast receivers, which must use IGMP to join a group.
    1. On the
      IGMP
      tab,
      Enable
      IGMP (default).
    2. Specify IGMP parameters for interfaces in the interface group:
      • IGMP Version
        1
        ,
        2
        , or
        3
        (default).
      • Enforce Router-Alert IP Option
        (disabled by default)—Select this option if you require incoming IGMP packets that use IGMPv2 or IGMPv3 to have the IP Router Alert Option, RFC 2113.
      • Robustness
        —A variable that the firewall uses to tune the Group Membership Interval, Other Querier Present Interval, Startup Query Count, and Last Member Query Count (range is 1 to 7; default is 2). Increase the value if the subnet on which this firewall is located is prone to losing packets.
      • Max Sources
        —Maximum number of sources that IGMP can process simultaneously for an interface (range is 1 to 65,535; default is
        unlimited
        ).
      • Max Groups
        —Maximum number of groups that IGMP can process simultaneously for an interface (range is 1 to 65,535; default is
        unlimited
        ).
      • Query Interval
        —Number of seconds between IGMP membership Query messages that the virtual router sends to a receiver to determine whether the receiver still wants to receive the multicast packets for a group (range is 1 to 31,744; default is 125).
      • Max Query Response Time (sec)
        —Maximum number of seconds allowed for a receiver to respond to an IGMP membership Query message before the virtual router determines that the receiver no longer wants to receive multicast packets for the group (range is 0 to 3,174.4; default is 10).
      • Last Member Query Interval (sec)
        —Number of seconds allowed for a receiver to respond to a Group-Specific Query that the virtual router sends after a receiver sends a Leave Group message (range is 0.1 to 3,174.4; default is 1).
      • Immediate Leave
        (disabled by default)—When there is only one member in a multicast group and the virtual router receives an IGMP Leave message for that group, the Immediate Leave setting causes the virtual router to remove that group and outgoing interface from the multicast routing information base (mRIB) and multicast forwarding information base (mFIB) immediately, rather than waiting for the Last Member Query Interval to expire. The Immediate Leave setting saves network resources. You cannot select Immediate Leave if the interface group uses IGMPv1.
  6. Configure PIM Sparse Mode (PIM-SM) for the interface group.
    1. On the
      PIM
      tab,
      Enable
      PIM (enabled by default).
    2. Specify PIM parameters for the interface group:
      • Assert Interval
        —Number of seconds between PIM Assert messages that the virtual router sends to other PIM routers on the multiaccess network when they are electing a PIM forwarder (range is 0 to 65,534; default is 177).
      • Hello Interval
        —Number of seconds between PIM Hello messages that the virtual router sends to its PIM neighbors from each interface in the interface group (range is 0 to 18,000; default is 30).
      • Join Prune Interval
        —Number of seconds between PIM Join messages (and between PIM Prune messages) that the virtual router sends upstream toward a multicast source (range is 0 to 18,000; default is 60).
      • DR Priority
        —Designated Router (DR) priority that controls which router in a multiaccess network forwards PIM Join and Prune messages to the RP (range is 0 to 429,467,295; default is 1). The DR priority takes precedence over IP address comparisons to elect the DR.
      • BSR Border
        —Select this option if the interfaces in the interface group are on a virtual router that is the BSR located at the border of an enterprise LAN. This will prevent RP candidacy BSR messages from leaving the LAN.
    3. Add
      one or more
      Permitted PIM Neighbors
      by specifying the
      IP Address
      of each router from which the virtual router accepts multicast packets.
  7. Click
    OK
    to save the interface group settings.
  8. (
    Optional
    ) Change the Shortest-Path Tree (SPT) threshold, as described in Shortest-Path Tree (SPT) and Shared Tree.
    1. Select
      SPT Threshold
      and
      Add
      a
      Multicast Group/Prefix
      , the multicast group or prefix for which you are specifying the distribution tree.
    2. Specify the
      Threshold (kb)
      —The point at which routing to the specified multicast group or prefix switches from shared tree (sourced from the RP) to SPT distribution:
      • 0 (switch on first data packet)
        (default)—The virtual router switches from shared tree to SPT for the group or prefix when the virtual router receives the first data packet for the group or prefix.
      • never (do not switch to spt)
        —The virtual router continues to use the shared tree to forward packets to the group or prefix.
      • Enter the total number of kilobits from multicast packets that can arrive for the multicast group or prefix at any interface and over any time period, upon which the virtual router changes to SPT distribution for that multicast group or prefix.
  9. Identify the multicast groups or groups and prefixes that accept multicast packets only from a specific source.
    1. Select
      Source Specific Address Space
      and
      Add
      the
      Name
      for the space.
    2. Enter the multicast
      Group
      address with prefix length to identify the address space that receives multicast packets from a specific source. If the virtual router receives a multicast packet for an SSM group but the group is not covered by a
      Source Specific Address Space
      , the virtual router drops the packet.
    3. Select
      Included
      to include the source-specific address space as a multicast group address range from which the virtual router will accept multicast packets that originated from an allowed specific source. De-select
      Included
      to easily exclude a group address space for testing.
    4. Add other source-specific address spaces to include all those groups for which you specified SSM group permission.
      multicast_ss_adr_space.png
  10. (
    Optional
    ) Change the length of time that a multicast route remains in the mRIB after the session ends between a multicast group and a source.
    1. Select the
      Advanced
      tab.
    2. Specify the
      Multicast Route Age Out Time (sec)
      (range is 210 to 7,200; default is 210).
  11. Click
    OK
    to save the multicast configuration.
  12. Create a Security policy rule to allow multicast traffic to the destination zone.
    1. Create a Security Policy Rule and on the
      Destination
      tab, select
      multicast
      or
      any
      for the
      Destination Zone
      . The
      multicast
      zone is a predefined Layer 3 zone that matches all multicast traffic. The
      Destination Address
      can be a multicast group address.
    2. Configure the rest of the Security policy rule.
  13. (
    Optional
    ) Enable buffering of multicast packets before a route is set up.
    1. Select
      Device
      Setup
      Session
      and edit Session Settings.
    2. Enable
      Multicast Route Setup Buffering
      (disabled by default). The firewall can preserve the first packet(s) from a multicast flow if an entry for the corresponding multicast group does not yet exist in the multicast forwarding table (mFIB). The
      Buffer Size
      controls how many packets the firewall buffers from a flow. After the route is installed in the mFIB, the firewall automatically forwards the buffered first packet(s) to the receiver. (You need to enable multicast route setup buffering only if your content servers are directly connected to the firewall and your multicast application cannot withstand the first packet of the flow being dropped.)
    3. (
      Optional
      ) Change the
      Buffer Size
      . Buffer size is the number of packets per multicast flow that the firewall can buffer until the mFIB entry is set up (range is 1 to 2,000; default is 1,000). The firewall can buffer a maximum of 5,000 packets total (for all flows).
    4. Click
      OK
      .
  14. Commit
    your changes.
  15. View IP Multicast Information to view mRIB and mFIB entries, IGMP interface settings, IGMP group memberships, PIM ASM and SSM modes, group mappings to RPs, DR addresses, PIM settings, PIM neighbors, and more.
  16. If you Configure a Static Route for multicast traffic, you can install the route only in the multicast routing table (not the unicast routing table) so that the route is used for multicast traffic only.
  17. If you enable IP multicast, it is not necessary to Configure BGP with MP-BGP for IPv4 Multicast unless you have a logical multicast topology separate from a logical unicast topology. You configure MP-BGP extensions with the IPv4 address family and multicast subsequent address family only when you want to advertise multicast source prefixes into BGP under multicast subsequent address family.

Related Documentation