PIM Sparse Mode supports Any-Source Multicast (ASM) and Source-Specific
Multicast (SSM); ASM requires a rendezvous point (RP). Configure PIM
on ingress and egress interfaces for the virtual router to receive
and forward IP multicast traffic.
IP multicast uses the Protocol Independent Multicast
(PIM) routing protocol between routers to determine the path on
the distribution tree that multicast packets take from the source
to the receivers (multicast group members). A Palo Alto Networks®
firewall supports PIM Sparse Mode (PIM-SM) (RFC 4601), PIM Any-Source Multicast (ASM)
(sometimes referred to as PIM Sparse Mode), and PIM Source-Specific
Multicast (SSM). In PIM-SM, the source does not forward multicast
traffic until a receiver (user) belonging to a multicast group requests
that the source send the traffic. When a host wants to receive multicast traffic,
its implementation of IGMP sends an IGMP Membership report message,
and the receiving router then sends a PIM Join message to the multicast
group address of the group it wants to join.
In ASM, the receiver uses IGMP to request traffic
for a multicast group address; any source could have originated
that traffic. Consequently, the receiver doesn’t necessarily know
the senders, and the receiver could receive multicast traffic in
which it has no interest.
In SSM (RFC 4607), the receiver uses IGMP to request
traffic from one or more specific sources to a multicast group address.
The receiver knows the IP address of the senders and receives only
the multicast traffic it wants. SSM requires IGMPv3. The default
SSM address space (232.0.0.0/8) can be overridden by adjusting the source specific address space. Group permissions also
need to be adjusted.
When you Configure
IP Multicast on a Palo Alto Networks firewall, you must enable
PIM for an interface to forward multicast traffic, even on receiver-facing
interfaces. This is unlike IGMP, which you enable only on receiver-facing
interfaces.
ASM requires a rendezvous point (RP), which is a router
located at the juncture or root of a shared distribution tree. The
RP for a multicast domain serves as a single point to which all
multicast group members send their Join messages. This behavior
reduces the likelihood of a routing loop that would otherwise occur
if group members sent their Join messages to multiple routers. (SSM
doesn’t need an RP because source-specific multicast uses a shortest-path
tree and therefore has no need for an RP.)
In an ASM environment, there are two ways that the virtual router
determines which router is the RP for a multicast group:
Static RP-to-Group Mapping—configures the virtual
router on the firewall to act as RP for multicast groups. You configure
a local RP, either by configuring a static RP address or by specifying
that the local RP is a candidate RP and the RP is chosen dynamically
(based on lowest priority value). You can also statically configure
one or more external RPs for different group address ranges not
covered by the local RP, which helps you load-balance multicast
traffic so that one RP is not overloaded.
Bootstrap Router (BSR)—(RFC 5059)—defines the role of a BSR. First,
candidates for BSR advertise their priority to each other and then
the candidate with the largest priority is elected BSR, as shown
in the following figure:
Next,
the BSR discovers RPs when candidate RPs periodically unicast a
BSR message to the BSR containing their IP address and the multicast
group range for which they will act as RP. You can configure the
local virtual router to be a candidate RP, in which case the virtual
router announces its RP candidacy for a specific multicast group
or groups. The BSR sends out RP information to the other RPs in
the PIM domain.
When you configure PIM for an interface,
you can select BSR Border when the interface on the firewall is
at an enterprise boundary facing away from the enterprise network.
The BSR Border setting prevents the firewall from sending RP candidacy
BSR messages outside the LAN. In the following illustration, BSR Border
is enabled for the interface facing the LAN and that interface has
the highest priority. If the virtual router has both a static RP
and a dynamic RP (learned from the BSR), you can specify whether
the static RP should override the learned RP for a group when you
configure the local, static RP.
In order for PIM Sparse Mode to notify the RP that it has traffic
to send down a shared tree, the RP must be aware of the source.
The host notifies the RP that it is sending traffic to a multicast
group address when the designated router (DR) encapsulates
the first packet from the host in a PIM Register message and unicasts
the packet to the RP on its local network. The DR also forwards
Prune messages from a receiver to the RP. The RP maintains the list
of IP addresses of sources that are sending to a multicast group
and the RP can forward multicast packets from sources.
Why do the routers in a PIM domain need a DR? When a router sends
a PIM Join message to a switch, two routers could receive it and
forward it to the same RP, causing redundant traffic and wasting
bandwidth. To prevent unnecessary traffic, the PIM routers elect
a DR (the router with the highest IP address), and only the DR forwards
the Join message to the RP. Alternatively, you can assign a DR priority
to an interface group, which takes precedence over IP address comparisons.
As a reminder, the DR is forwarding (unicasting) PIM messages; it
is not multicasting IP multicast packets.
You can specify the IP addresses of PIM neighbors (routers) that
the interface group will allow to peer with the virtual router.
By default, all PIM-enabled routers can be PIM neighbors, but the
option to limit neighbors provides a step toward securing the virtual
router in your PIM environment.