PIM Sparse Mode supports Any-Source Multicast (ASM) and Source-Specific Multicast (SSM); ASM requires a rendezvous point (RP). Configure PIM on ingress and egress interfaces for the virtual router to receive and forward IP multicast traffic.
IP multicast uses the Protocol Independent Multicast (PIM) routing protocol between routers to determine the path on the distribution tree that multicast packets take from the source to the receivers (multicast group members). A Palo Alto Networks® firewall supports PIM Sparse Mode (PIM-SM) (RFC 4601), PIM Any-Source Multicast (ASM) (sometimes referred to as PIM Sparse Mode), and PIM Source-Specific Multicast (SSM). In PIM-SM, the source does not forward multicast traffic until a receiver (user) belonging to a multicast group requests that the source send the traffic. When a host wants to receive multicast traffic, its implementation of IGMP sends an IGMP Membership report message, and the receiving router then sends a PIM Join message to the multicast group address of the group it wants to join.
- InASM, the receiver uses IGMP to request traffic for a multicast group address; any source could have originated that traffic. Consequently, the receiver doesn’t necessarily know the senders, and the receiver could receive multicast traffic in which it has no interest.
- InSSM(RFC 4607), the receiver uses IGMP to request traffic from one or more specific sources to a multicast group address. The receiver knows the IP address of the senders and receives only the multicast traffic it wants. SSM requires IGMPv3. You can override the default SSM address space, which is 188.8.131.52/8.
When you Configure IP Multicast on a Palo Alto Networks® firewall, you must enable PIM for an interface to forward multicast traffic, even on receiver-facing interfaces. This is unlike IGMP, which you enable only on receiver-facing interfaces.
ASM requires a
rendezvous point(RP), which is a router located at the juncture or root of a shared distribution tree. The RP for a multicast domain serves as a single point to which all multicast group members send their Join messages. This behavior reduces the likelihood of a routing loop that would otherwise occur if group members sent their Join messages to multiple routers. (SSM doesn’t need an RP because source-specific multicast uses a shortest-path tree and therefore has no need for an RP.)
In an ASM environment, there are two ways that the virtual router determines which router is the RP for a multicast group:
- Static RP-to-Group Mapping—configures the virtual router on the firewall to act as RP for multicast groups. You configure a local RP, either by configuring a static RP address or by specifying that the local RP is a candidate RP and the RP is chosen dynamically (based on lowest priority value). You can also statically configure one or more external RPs for different group address ranges not covered by the local RP, which helps you load-balance multicast traffic so that one RP is not overloaded.
- Bootstrap Router (BSR)—(RFC 5059)—defines the role of a BSR. First, candidates for BSR advertise their priority to each other and then the candidate with the largest priority is elected BSR, as shown in the following figure:Next, the BSR discovers RPs when candidate RPs periodically unicast a BSR message to the BSR containing their IP address and the multicast group range for which they will act as RP. You can configure the local virtual router to be a candidate RP, in which case the virtual router announces its RP candidacy for a specific multicast group or groups. The BSR sends out RP information to the other RPs in the PIM domain.When you configure PIM for an interface, you can select BSR Border when the interface on the firewall is at an enterprise boundary facing away from the enterprise network. The BSR Border setting prevents the firewall from sending RP candidacy BSR messages outside the LAN. In the following illustration, BSR Border is enabled for the interface facing the LAN and that interface has the highest priority. If the virtual router has both a static RP and a dynamic RP (learned from the BSR), you can specify whether the static RP should override the learned RP for a group when you configure the local, static RP.
In order for PIM Sparse Mode to notify the RP that it has traffic to send down a shared tree, the RP must be aware of the source. The host notifies the RP that it is sending traffic to a multicast group address when the
designated router(DR) encapsulates the first packet from the host in a PIM Register message and unicasts the packet to the RP on its local network. The DR also forwards Prune messages from a receiver to the RP. The RP maintains the list of IP addresses of sources that are sending to a multicast group and the RP can forward multicast packets from sources.
Why do the routers in a PIM domain need a DR? When a router sends a PIM Join message to a switch, two routers could receive it and forward it to the same RP, causing redundant traffic and wasting bandwidth. To prevent unnecessary traffic, the PIM routers elect a DR (the router with the highest IP address), and only the DR forwards the Join message to the RP. Alternatively, you can assign a DR priority to an interface group, which takes precedence over IP address comparisons. As a reminder, the DR is forwarding (unicasting) PIM messages; it is not multicasting IP multicast packets.
You can specify the IP addresses of PIM neighbors (routers) that the interface group will allow to peer with the virtual router. By default, all PIM-enabled routers can be PIM neighbors, but the option to limit neighbors provides a step toward securing the virtual router in your PIM environment.