The Airtame device uses "Multicast" to advertise itself on a network so that the app can detect it, showing a list of all Airtame devices on the network. The methods used are Simple Service Discovery Protocol (SSDP) and Multicast Domain Name Service (mDNS). Simply enabling the one of the multicast protocol on one VLAN will work if Airtame and PC are on the same VLAN but in the case of different VLANs, the multicast traffic will need to cross VLANs. Therefore, some additional multicast routing configurations on the Network side is needed from the network administrator.
A multicast address identifies a group of receivers that want to receive the traffic going to that address.
Note: You should not use the multicast addresses reserved for special uses, such as the range 184.108.40.206 through 220.127.116.11 or 18.104.22.168 through 22.214.171.124.
Multicast traffic uses UDP, which does not resend missed packets.
Palo Alto Networks® firewalls support Protocol Independent Multicast (PIM) on a Layer 3 interface that you configure for a virtual router on the firewall. For multicast routing, the Layer 3 interface type can be Ethernet, Aggregate Ethernet (AE), VLAN, loopback, or tunnel. Interface groups allow you to configure more than one firewall interface at a time with the same Internet Group Management Protocol (IGMP) and PIM parameters, and with the same group permissions (multicast groups allowed to accept traffic from any source or from only a specific source). An interface can belong to only one interface group.
You must enable multicast for a virtual router and enable PIM for an ingress and an egress interface in order for the interfaces to receive or forward multicast packets. In addition to PIM, you must also enable IGMP on egress interfaces that face receivers. You must configure a Security policy rule to allow IP multicast traffic to a predefined Layer 3 destination zone named multicast or to any destination zone.
Protocol Independent Multicast (PIM) routing protocol is used between routers to determine the path on the distribution tree that multicast packets take from the source to the receivers (multicast group members). A Palo Alto Networks® firewall supports PIM Sparse Mode (PIM-SM), PIM Any-Source Multicast (ASM) (sometimes referred to as PIM Sparse Mode), and PIM Source-Specific Multicast (SSM).
The firewall does not support PIM Dense Mode (PIM-DM), IGMP proxy, IGMP static joins, Anycast RP, GRE, or multicast configurations on a Layer 2 or virtual wire interface type.
- In PIM-SM, the source does not forward multicast traffic until a receiver (user) belonging to a multicast group requests that the source send the traffic. When a host wants to receive multicast traffic, its implementation of IGMP sends an IGMP Membership report message, and the receiving router then sends a PIM Join message to the multicast group address of the group it wants to join.
- In ASM, the receiver uses IGMP to request traffic for a multicast group address; any source could have originated that traffic. Consequently, the receiver doesn’t necessarily know the senders, and the receiver could receive multicast traffic in which it has no interest.
- In SSM, the receiver uses IGMP to request traffic from one or more specific sources to a multicast group address. The receiver knows the IP address of the senders and receives only the multicast traffic it wants. SSM requires IGMPv3. You can override the default SSM address space, which is 126.96.36.199/8.
Configuring IP multicast
When you Configure IP Multicast on a Palo Alto Networks® firewall, you must enable PIM for an interface to forward multicast traffic, even on receiver-facing interfaces. This is unlike IGMP, which you enable only on receiver-facing interfaces.
SSM doesn’t need an RP because source-specific multicast uses a shortest-path tree and therefore has no need for an RP.
ASM requires a rendezvous point (RP), which is a router located at the juncture or root of a shared distribution tree. The RP for a multicast domain serves as a single point to which all multicast group members send their Join messages. This behavior reduces the likelihood of a routing loop that would otherwise occur if group members sent their Join messages to multiple routers. In an ASM environment, there are two ways that the virtual router determines which router is the RP for a multicast group:
- Static RP-to-Group Mapping—configures the virtual router on the firewall to act as RP for multicast groups. You configure a local RP, either by configuring a static RP address or by specifying that the local RP is a candidate RP and the RP is chosen dynamically (based on lowest priority value). You can also statically configure one or more external RPs for different group address ranges not covered by the local RP, which helps you load-balance multicast traffic so that one RP is not overloaded.
- Bootstrap Router (BSR)—(RFC 5059)—defines the role of a BSR. First, candidates for BSR advertise their priority to each other and then the candidate with the largest priority is elected BSR, as shown in the following figure:
Next, the BSR discovers RPs when candidate RPs periodically unicast a BSR message to the BSR containing their IP address and the multicast group range for which they will act as RP. You can configure the local virtual router to be a candidate RP, in which case the virtual router announces its RP candidacy for a specific multicast group or groups. The BSR sends out RP information to the other RPs in the PIM domain.
When you configure PIM for an interface, you can select BSR Border when the interface on the firewall is at an enterprise boundary facing away from the enterprise network. The BSR Border setting prevents the firewall from sending RP candidacy BSR messages outside the LAN. In the following illustration, BSR Border is enabled for the interface facing the LAN and that interface has the highest priority. If the virtual router has both a static RP and a dynamic RP (learned from the BSR), you can specify whether the static RP should override the learned RP for a group when you configure the local, static RP.
In order for PIM Sparse Mode to notify the RP that it has traffic to send down a shared tree, the RP must be aware of the source. The host notifies the RP that it is sending traffic to a multicast group address when the designated router (DR) encapsulates the first packet from the host in a PIM Register message and unicasts the packet to the RP on its local network. The DR also forwards Prune messages from a receiver to the RP. The RP maintains the list of IP addresses of sources that are sending to a multicast group and the RP can forward multicast packets from sources.
Why do the routers in a PIM domain need a DR?
When a router sends a PIM Join message to a switch, two routers could receive it and forward it to the same RP, causing redundant traffic and wasting bandwidth. To prevent unnecessary traffic, the PIM routers elect a DR (the router with the highest IP address), and only the DR forwards the Join message to the RP. Alternatively, you can assign a DR priority to an interface group, which takes precedence over IP address comparisons. As a reminder, the DR is forwarding (unicasting) PIM messages; it is not multicasting IP multicast packets.
You can specify the IP addresses of PIM neighbors (routers) that the interface group will allow to peer with the virtual router. By default, all PIM-enabled routers can be PIM neighbors, but the option to limit neighbors provides a step toward securing the virtual router in your PIM environment.
For a step by step guide for Palo Alto click below.
Do you have any questions?
You can write to us using the blue chat box on the corner or send an email to firstname.lastname@example.org and we will be here to assist you.
If you are facing technical issues, remember to send also your Airtame device logs.
Sign up for product updates to stay posted on future features.