A rare use case on a Palo (at least from my point of view): Multicast Routing. And it can become as complex as you want. Fortunately, the basics are relatively easy to configure, at least if you have a rough understanding of multicast and routing with PIM and IGMP. (Recommended YouTube session here.) Let’s have a look at the common configuration steps on PAN-OS, the needed security policies to the special destination zone type of “multicast”, as well as some “show” outputs that can be used for troubleshooting:
The Lab
- My lab consists of 3x Cisco routers (2811, IOS Version 15.1(4)M12a) and 1x PA-440 “pa-lab” with PAN-OS 11.1.10-h1, ARE enabled, hence: logical routers.
- (Note that with PAN-OS 11.2 and ARE, multicast routing is not supported at all.)
- PIM-SM (sparse-mode) is used all over the lab. The rendezvous point (RP) is statically configured on R1’s loopback interface.
- Since Palo only supports legacy IP (IPv4) with multicast, IPv6 is not of interest in this setup. 😢
- A Raspberry Pi on the right-hand side offers a multicast stream at 239.23.11.10:1234. Accomplished by: ffmpeg -f lavfi -re -i "testsrc=size=640x360:rate=25:decimals=2" -c:v libx264 -f mpegts "udp://239.23.11.10:1234?pkt_size=1316".
- The Palo serves a client subnet directly (VLAN 51, client 1 aka receiver, IGMP), and is additionally connected to another “internal” router (R3, PIM), in which another receiver (client 2) resides.
The Config
The following screenshots provide an overview of the multicast settings needed for this kind of setup. Almost all settings were left at their defaults.
Special attention needs to be paid to the security policies:
- Allowing “pim” is only necessary if another router must communicate with the RP *through* the Palo, or if the Palo itself provides the RP. If the Palo is only terminating receivers (IGMP), there’s no PIM policy needed. (I’m not fully sure why, since for other routing protocols such as OSPF or BGP, those allow rules are a must. Yes, I’ve checked an explicit intrazone-deny rule as well. Still no hits.)
- IGMP must be allowed from the receiver’s zone to the special “multicast” destination zone. Of course, destination address objects can be used to further restrict the traffic.
- For the actual multicast traffic, in my case, a video stream on UDP port 1234, a policy has to allow this type of traffic from the multicast source (in my case: zone “transfer”) to the special “multicast” destination zone.
The Show
The following screenshots and CLI outputs were taken while both receivers were consuming the stream. (Using the VLC media player with udp://@239.23.11.10:1234.)
Session Browser during the stream: (the IGMP session was already gone)
Traffic Log *after* the receivers stopped consuming the stream:
Traffic Log for “pim”, in which router R3 contacted the RP:
Almost the same via the CLI show commands. One note, though: The show advanced-routing multicast pim state command is the only one that gives an output comparable to that from the Cisco world. E.g., only this one lists the Rendezvous Point for the (*,G) groups.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
weberjoh@pa-lab> show advanced-routing multicast pim neighbor Logical router: default Interface Neighbor Uptime Holdtime Generation ID DR Pri ethernet1/1 192.168.3.99 44:59:56 00:01:26 1170265741 1 ethernet1/5.131 10.23.1.2 44:59:56 00:01:44 3086112133 1 weberjoh@pa-lab> weberjoh@pa-lab> weberjoh@pa-lab> show advanced-routing multicast igmp membership group 239.23.11.10 Logical router: default Interface Address Group Source Mode Timer Src V Uptime Static ethernet1/5.51 192.168.51.1 239.23.11.10 * EXCLUDE 00:02:15 1 3 00:10:35 False Total (Interface, Groups): 1 weberjoh@pa-lab> weberjoh@pa-lab> weberjoh@pa-lab> show advanced-routing multicast route group 239.23.11.10 Flags: S - Sparse, C - Connected, P - Pruned, M - SSM, R - SGRpt Pruned, F - FHR flag, T - SPT-bit set Logical router: default group source flags Proto incoming outgoing TTL Uptime 239.23.11.10 * SC IGMP ethernet1/1 ethernet1/5.51 1 00:11:04 PIM ethernet1/5.131 1 00:09:16 239.23.11.10 192.168.124.12 ST IGMP ethernet1/1 ethernet1/5.51 1 00:11:04 PIM ethernet1/5.131 1 00:09:16 total route shown: 2 weberjoh@pa-lab> weberjoh@pa-lab> weberjoh@pa-lab> show advanced-routing multicast fib group 239.23.11.10 Logical Router: default maximum of mfib entries for this mfib: 275 number of mfib entries for this mfib: 3 number of mfib entries shown: 2 group source flags incoming outgoing ----- ------ ----- -------- -------- 239.23.11.10 0.0.0.0 1 ethernet1/1 ethernet1/5.131 ethernet1/5.51 239.23.11.10 192.168.124.12 2 ethernet1/1 ethernet1/5.131 ethernet1/5.51 weberjoh@pa-lab> weberjoh@pa-lab> weberjoh@pa-lab> show advanced-routing multicast pim state group 239.23.11.10 Logical router: default (*, G): group RP up time upstream join join timer RPF interface RPF next hop 239.23.11.10 10.0.0.1 00:11:41 Joined 00:00:20 ethernet1/1 192.168.3.99/32 oil interface local membership join/prune join expire timer prune pending timer assert st assert timer assert winner addr assert winner metric ethernet1/5.51 LOCAL NOINFO --:-- --:-- NOINFO --:-- 0.0.0.0 infinity ethernet1/5.131 NOINFO JOIN 02:42 --:-- NOINFO --:-- 0.0.0.0 infinity pimreg N/A JOIN 02:42 --:-- NOINFO --:-- 0.0.0.0 infinity (S, G): group source up time upstream nbr upstream join join timer RPF next hop DR reg DR reg stop timer SPT 239.23.11.10 192.168.124.12 00:11:41 192.168.3.99 Joined 00:00:20 192.168.3.99/32 RegNoInfo --:--:-- False oil interface local membership join/prune join expire timer prune pending timer assert st assert timer assert winner addr assert winner metric ethernet1/5.131 NOINFO JOIN 02:41 --:-- NOINFO --:-- 0.0.0.0 infinity weberjoh@pa-lab> |
Finally, this is how R3 looked like during the session:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
R3#show ip pim neighbor PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, P - Proxy Capable, S - State Refresh Capable, G - GenID Capable Neighbor Interface Uptime/Expires Ver DR Address Prio/Mode 10.23.1.1 FastEthernet0/0 1d21h/00:01:39 v2 1 / G R3# R3# R3#show ip mroute 239.23.11.10 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, V - RD & Vector, v - Vector Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.23.11.10), 01:19:52/stopped, RP 10.0.0.1, flags: SJC Incoming interface: FastEthernet0/0, RPF nbr 10.23.1.1 Outgoing interface list: FastEthernet0/1.132, Forward/Sparse, 00:10:13/00:01:56 (192.168.124.12, 239.23.11.10), 01:19:51/00:02:34, flags: JT Incoming interface: FastEthernet0/0, RPF nbr 10.23.1.1 Outgoing interface list: FastEthernet0/1.132, Forward/Sparse, 00:10:13/00:01:56 R3# R3# R3#show ip igmp groups 239.23.11.10 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter Group Accounted 239.23.11.10 FastEthernet0/1.132 00:10:33 00:02:42 192.168.132.11 R3# |
The End
Uff. ;) That’s it for now. Of course, you can configure other scenarios, such as setting the Rendezvous Point on the Palo itself or using filters for various settings. But not for me this time.
Soli Deo Gloria!
Photo by Jeanson Wong on Unsplash.