Multicast

This chapter describes how to configure the Secure Firewall Threat Defense device to use the multicast routing protocol.

About Multicast Routing

Multicast routing is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast routing include videoconferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news.

Multicast routing protocols deliver source traffic to multiple receivers without adding any additional burden on the source or the receivers while using the least network bandwidth of any competing technology. Multicast packets are replicated in the network by threat defense device enabled with Protocol Independent Multicast (PIM) and other supporting multicast protocols, which results in the most efficient delivery of data to multiple receivers possible.

The threat defense device supports both stub multicast routing and PIM multicast routing. However, you cannot configure both concurrently on a single threat defense device.


Note


The UDP and non-UDP transports are both supported for multicast routing. However, the non-UDP transport has no FastPath optimization.


IGMP Protocol

IP hosts use the Internet Group Management Protocol (IGMP) to report their group memberships to directly-connected multicast routers. IGMP is used to dynamically register individual hosts in a multicast group on a particular LAN. Hosts identify group memberships by sending IGMP messages to their local multicast router. Under IGMP, routers listen to IGMP messages and periodically send out queries to discover which groups are active or inactive on a particular subnet.

IGMP uses group addresses (Class D IP address) as group identifiers. Host group address can be in the range of 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet.


Note


When you enable multicast routing on the threat defense device, IGMP Version 2 is automatically enabled on all interfaces.


Query Messages to Multicast Groups

The threat defense device sends query messages to discover which multicast groups have members on the networks attached to the interfaces. Members respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Query messages are addressed to the all-systems multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1.

These messages are sent periodically to refresh the membership information stored on the threat defense device. If the threat defense device discovers that there are no local members of a multicast group still attached to an interface, it stops forwarding multicast packets for that group to the attached network, and it sends a prune message back to the source of the packets.

By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds.

When changing the query response time, by default, the maximum query response time advertised in IGMP queries is 10 seconds. If the threat defense device does not receive a response to a host query within this amount of time, it deletes the group.

Stub Multicast Routing

Stub multicast routing provides dynamic host registration and facilitates multicast routing. When configured for stub multicast routing, the threat defense device acts as an IGMP proxy agent. Instead of fully participating in multicast routing, the threat defense device forwards IGMP messages to an upstream multicast router, which sets up delivery of the multicast data. When configured for stub multicast routing, the threat defense device cannot be configured for PIM sparse or bidirectional mode. You must enable PIM on the interfaces participating in IGMP stub multicast routing.

The threat defense device supports both PIM-SM and bidirectional PIM. PIM-SM is a multicast routing protocol that uses the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point (RP) per multicast group and optionally creates shortest-path trees per multicast source.

PIM Multicast Routing

Bidirectional PIM is a variant of PIM-SM that builds bidirectional shared trees connecting multicast sources and receivers. Bidirectional trees are built using a Designated Forwarder (DF) election process operating on each link of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the Rendezvous Point (RP), and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during RP discovery and provides a default route to the RP.


Note


If the threat defense device is the PIM RP, use the untranslated outside address of the threat defense device as the RP address.


PIM Source Specific Multicast Support

The threat defense device does not support PIM Source Specific Multicast (SSM) functionality and related configuration. However, the threat defense device allows SSM-related packets to pass through unless it is placed as a last-hop router.

SSM is classified as a data delivery mechanism for one-to-many applications such as IPTV. The SSM model uses a concept of "channels" denoted by an (S,G) pair, where S is a source address and G is an SSM destination address. Subscribing to a channel is achieved by using a group management protocol such as IGMPv3. SSM enables a receiving client, once it has learned about a particular multicast source, to receive multicast streams directly from the source rather than receiving it from a shared Rendezvous Point (RP). Access control mechanisms are introduced within SSM providing a security enhancement not available with current sparse or sparse-dense mode implementations.

PIM-SSM differs from PIM-SM in that it does not use an RP or shared trees. Instead, information on source addresses for a multicast group is provided by the receivers through the local receivership protocol (IGMPv3) and is used to directly build source-specific trees.

Multicast Bidirectional PIM

Multicast bidirectional PIM is useful for networks that have many sources and receivers talking to each other simultaneously and where each participant can become both the source and receiver of multicast traffic, such as in videoconferencing, Webex meetings, and group chat. When PIM bidirectional mode is used, the RP only creates the (*,G) entry for the shared tree. There is no (S,G) entry. This conserves resources on the RP because state tables for each (S,G) entry are not maintained.

In PIM sparse mode, traffic only flows down the shared tree. In PIM bidirectional mode, traffic flows up and down the shared tree.

PIM bidirectional mode also does not use the PIM register/register-stop mechanism to register sources to the RP. Each source can begin sending to the source at any time. When the multicast packets arrive at the RP, they are forwarded down the shared tree (if there are receivers) or dropped (when there are no receivers). However, there is no way for the RP to tell the source to stop sending multicast traffic.

Design-wise you must think about where to place the RP in your network because it should be somewhere in the middle between the sources and receivers in the network.

PIM bidirectional mode has no Reverse Path Forwarding (RPF) check. Instead it uses the concept of a Designated Forwarder (DF) to prevent loops. This DF is the only router on the segment that is allowed to send multicast traffic to the RP. If there is only one router per segment that forwards multicast traffic, there will be no loops. The DF is chosen using the following mechanism:

  • The router with the lowest metric to the RP is the DF.

  • If the metric is equal, then the router with the highest IP address becomes the DF.

PIM Bootstrap Router (BSR)

PIM Bootstrap Router (BSR) is a dynamic Rendezvous Point (RP) selection model that uses candidate routers for RP function and for relaying the RP information for a group. The RP function includes RP discovery and provides a default route to the RP. It does this by configuring a set of devices as candidate BSRs (C-BSR) which participate in a BSR election process to choose a BSR amongst themselves. Once the BSR is chosen, devices that are configured as candidate Rendezvous Points (C-RP) start sending their group mapping to the elected BSR. The BSR then distributes the group-to-RP mapping information to all the other devices down the multicast tree through BSR messages that travel from PIM router to PIM router on a per-hop basis.

This feature provides a means of dynamically learning RPs, which is very essential in large complex networks where an RP can periodically go down and come up.

PIM Bootstrap Router (BSR) Terminology

The following terms are frequently referenced in the PIM BSR configuration:

  • Bootstrap Router (BSR) — A BSR advertises Rendezvous Point (RP) information to other routers with PIM on a hop-by-hop basis. Among multiple Candidate-BSRs, a single BSR is chosen after an election process. The primary purpose of this Bootstrap router is to collect all Candidate-RP (C-RP) announcements in to a database called the RP-set and to periodically send this out to all other routers in the network as BSR messages (every 60 seconds).

  • Bootstrap Router (BSR) messages — BSR messages are multicast to the All-PIM-Routers group with a TTL of 1. All PIM neighbors that receive these messages retransmit them (again with a TTL of 1) out of all interfaces except the one in which the messages were received. BSR messages contain the RP-set and the IP address of the currently active BSR. This is how C-RPs know where to unicast their C-RP messages.

  • Candidate Bootstrap Router (C-BSR) — A device that is configured as a candidate-BSR participates in the BSR election mechanism. A C-BSR with highest priority is elected as the BSR. The highest IP address of the C-BSR is used as a tiebreaker. The BSR election process is preemptive, for example if a new C-BSR with a higher priority comes up, it triggers a new election process.

  • Candidate Rendezvous Point (C-RP) — An RP acts as a meeting place for sources and receivers of multicast data. A device that is configured as a C-RP periodically advertises the multicast group mapping information directly to the elected BSR through unicast. These messages contain the Group-range, C-RP address, and a hold time. The IP address of the current BSR is learned from the periodic BSR messages that are received by all routers in the network. In this way, the BSR learns about possible RPs that are currently up and reachable.


    Note


    The threat defense device does not act as a C-RP, even though the C-RP is a mandatory requirement for BSR traffic. Only routers can act as a C-RP. So, for BSR testing functionality, you must add routers to the topology.


  • BSR Election Mechanism — Each C-BSR originates Bootstrap messages (BSMs) that contain a BSR Priority field. Routers within the domain flood the BSMs throughout the domain. A C-BSR that hears about a higher-priority C-BSR than itself suppresses its sending of further BSMs for some period of time. The single remaining C-BSR becomes the elected BSR, and its BSMs inform all the other routers in the domain that it is the elected BSR.

Multicast Group Concept

Multicast is based on the concept of a group. An arbitrary group of receivers expresses an interest in receiving a particular data stream. This group does not have any physical or geographical boundaries—the hosts can be located anywhere on the Internet. Hosts that are interested in receiving data flowing to a particular group must join the group using IGMP. Hosts must be a member of the group to receive the data stream.

Multicast Addresses

Multicast addresses specify an arbitrary group of IP hosts that have joined the group and want to receive traffic sent to this group.

Clustering

Multicast routing supports clustering. In Spanned EtherChannel clustering, the control unit sends all multicast routing packets and data packets until fast-path forwarding is established. After fast-path forwarding is established, data units may forward multicast data packets. All data flows are full flows. Stub forwarding flows are also supported. Because only one unit receives multicast packets in Spanned EtherChannel clustering, redirection to the control unit is common.

Requirements and Prerequisites for Multicast Routing

Model Support

Threat Defense

Threat Defense Virtual

Supported Domains

Any

User Roles

Admin

Network Admin

Guidelines for Multicast Routing

Firewall Mode

Supported only in routed firewall mode. Transparent firewall mode is not supported.

IPv6

Does not support IPv6.

Multicast Group

The range of addresses between 224.0.0.0 and 224.0.0.255 is reserved for the use of routing protocols and other topology discovery or maintenance protocols, such as gateway discovery and group membership reporting. Hence, Internet multicast routing from address range 224.0.0/24 is not supported; IGMP group is not created when enabling multicast routing for the reserved addressess.

Clustering

In clustering, for IGMP and PIM, this feature is only supported on the primary unit.

Additional Guidelines

  • You must configure an access control or prefilter rule on the inbound security zone to allow traffic to the multicast host, such as 224.1.2.3. However, you cannot specify a destination security zone for the rule, or it cannot be applied to multicast connections during initial connection validation.

  • You cannot disable an interface with PIM configured on it. If you have configured PIM on the interface (see Configure PIM Protocol), disabling the multicast routing and PIM does not remove the PIM configuration. You must remove (delete) the PIM configuration to disable the interface.

  • PIM/IGMP Multicast routing is not supported on interfaces in a traffic zone.

  • Do not configure threat defense to simultaneously be a Rendezvous Point (RP) and a First Hop Router.

  • HSRP standby IP address does not participate in PIM neighbourship. Thus, if the RP router IP is routed through a HSRP standby IP address, the multicast routing does not work in Threat Defense. Hence for the multicast traffic to pass through successfully, ensure that the route for the RP address is not the HSRP standby IP address, instead, configure the route address to an interface IP address.

  • For a device using virtual routing, you can configure multicast only for its global virtual router and not for its user-defined virtual router.

Configure IGMP Features

IP hosts use IGMP to report their group memberships to directly-connected multicast routers. IGMP is used to dynamically register individual hosts in a multicast group on a particular LAN. Hosts identify group memberships by sending IGMP messages to their local multicast router. Under IGMP, routers listen to IGMP messages and periodically send out queries to discover which groups are active or inactive on a particular subnet.

This section describes how to configure optional IGMP settings on a per-interface basis.

Procedure


Step 1

Enable Multicast Routing.

Step 2

Configure IGMP Protocol.

Step 3

Configure IGMP Access Groups.

Step 4

Configure IGMP Static Groups.

Step 5

Configure IGMP Join Groups.


Enable Multicast Routing

Enabling multicast routing on the threat defense device, enables IGMP and PIM on all interfaces by default. IGMP is used to learn whether members of a group are present on directly attached subnets. Hosts join multicast groups by sending IGMP report messages. PIM is used to maintain forwarding tables to forward multicast datagrams.


Note


Only the UDP transport layer is supported for multicast routing.


The following list shows the maximum number of entries for specific multicast tables. Once these limits are reached, any new entries are discarded.

  • MFIB—30,000

  • IGMP Groups—30,000

  • PIM Routes—72,000

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > IGMP.

Step 3

Check the Enable Multicast Routing check box.

Checking this check box enables IP multicast routing on the device. Unchecking this check box disables IP multicast routing. By default, multicast is disabled. Enabling multicast routing enables multicast on all interfaces.

You can disable multicast on a per-interface basis. This is useful if you know that there are no multicast hosts on a specific interface and you want to prevent the threat defense device from sending host query messages on that interface.


Configure IGMP Protocol

You can configure IGMP parameters per interface, such as the forward interface, query messages, and time intervals.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > IGMP.

Step 3

On Protocol, click Add or Edit.

Use the Add IGMP parameters dialog box to add new IGMP parameters to the threat defense device. Use the Edit IGMP parameters dialog box to change existing parameters.

Step 4

Configure the following options:

  • Interface—From the drop-down list, choose the interface for which you want to configure IGMP protocol.

  • Enable IGMP—Check the check box to enable IGMP.

    Note

     

    Disabling IGMP on specific interfaces is useful if you know that there are no multicast hosts on a specific interface and you want to prevent the device from sending host query messages on that interface.

  • Forward Interface—From the drop-down list, choose the specific interface from which you want to forward IGMP messages.

    This configures the Secure Firewall Threat Defense device to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one interface to an upstream multicast router on another interface.

  • Version—Choose IGMP Version 1 or 2.

    By default, the threat defense device runs IGMP Version 2, which enables several additional features.

    Note

     

    All multicast routers on a subnet must support the same version of IGMP. The threat defense device does not automatically detect Version 1 routers and switch to Version 1. However, you can have a mix of IGMP Version 1 and 2 hosts on the subnet; the threat defense device running IGMP Version 2 works correctly when IGMP Version 1 hosts are present.

  • Query Interval—The interval in seconds at which the designated router sends IGMP host-query messages. The range is 1 to 3600. The default is 125.

    Note

     

    If the threat defense device does not hear a query message on an interface for the specified timeout value, then the device becomes the designated router and starts sending the query messages.

  • Response Time—The interval in seconds before the threat defense device deletes the group. The range is 1 to 25. The default is 10.

    If the threat defense device does not receive a response to a host query within this amount of time, it deletes the group.

  • Group Limit—The maximum number of hosts that can join on an interface. The range is 1 to 500. The default is 500.

    You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface basis. Membership reports exceeding the configured limits are not entered in the IGMP cache, and traffic for the excess membership reports is not forwarded

  • Query Timeout—The period of time in seconds before which the threat defense device takes over as the requester for the interface after the previous requester has stopped. The range is 60 to 300. The default is 255.

Step 5

Click OK to save the IGMP protocol configuration.


Configure IGMP Access Groups

You can control access to multicast groups by using access control lists.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > Access Group.

Step 3

On Access Group, click Add or Edit.

Use the Add IGMP Access Group parameters dialog box to add new IGMP access groups to the Access Group table. Use the Edit IGMP Access Group parameters dialog box to change existing parameters.

Step 4

Configure the following options:

  1. From the Interface drop-down list, choose the interface with which the access group is associated. You cannot change the associated interface when you are editing an existing access group.

  2. Click one of the following:

    • Standard Access List— From the Standard Access List drop-down list, choose the standard ACL or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

    • Extended Access List—From the Extended Access List drop-down list, choose the extended ACL or click Add (add icon) to create a new extended ACL. See Configure Extended ACL Objects for the procedure.

Step 5

Click OK to save the access group configuration.


Configure IGMP Static Groups

Sometimes a group member cannot report its membership in the group or there may be no members of a group on the network segment, but you still want multicast traffic for that group to be sent to that network segment. You can have multicast traffic for that group sent to the segment by configuring a statically joined IGMP group. With this method, the threat defense device does not accept the packets itself, but only forwards them. Therefore, this method allows fast switching. The outgoing interface appears in the IGMP cache, but this interface is not a member of the multicast group.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > IGMP.

Step 3

On Static Group, click Add or Edit.

Use the Add IGMP Static Group parameters dialog box to statically assign a multicast group to an interface. Use the Edit IGMP Static Group parameters dialog box to change existing static group assignments.

Note

 

The IGMP Static Group enables PIM to send Join requests towards the sources or towards the Rendezvous Point (RP), provided, the firewall with this command is the PIM Designated Router (DR) on that interface where the command is applied.

Step 4

Configure the following options:

  • From the Interface drop-down list, choose the interface to which you want to statically assign a multicast group. If you are editing an existing entry, you cannot change the value.

  • From the Multicast Groups drop-down list, choose the multicast group to which you want to assign the interface, or click Add (add icon) to create a new multicast group. See Creating Network Objects for the procedure.

Step 5

Click OK to save the static group configuration.


Configure IGMP Join Groups

You can configure an interface to be a member of a multicast group. Configuring the threat defense device to join a multicast group causes upstream routers to maintain multicast routing table information for that group and keep the paths for that group active.


Note


See Configure IGMP Static Groups if you want to forward multicast packets for a specific group to an interface without the threat defense device accepting those packets as part of the group.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > IGMP.

Step 3

On Join Group, click Add or Edit.

Use the Add IGMP Join Group parameters dialog box to configure the threat defense device to be a member of a multicast group. Use the Edit IGMP Join Group parameters dialog box to change existing parameters.

Note

 

The IGMP Join Group enables PIM to send Join requests towards the sources or towards the Rendezvous Point (RP), provided, the firewall with this command is the PIM Designated Router (DR) on that interface where the command is applied.

Step 4

Configure the following options:

  • From the Interface drop-down list, choose the interface you want to be a member of a multicast group. If you are editing an existing entry, you cannot change the value.

  • From the Join Group drop-down list, choose the multicast group to which you want to assign the interface, or click Plus to create a new multicast group. See Creating Network Objects for the procedure.


Configure PIM Features

Routers use PIM to maintain forwarding tables to use for forwarding multicast diagrams. When you enable multicast routing on the Secure Firewall Threat Defense device, PIM and IGMP are automatically enabled on all interfaces.


Note


PIM is not supported with PAT. The PIM protocol does not use ports, and PAT only works with protocols that use ports.


This section describes how to configure optional PIM settings.

Procedure


Step 1

Configure PIM Protocol.

Step 2

Configure PIM Neighbor Filters.

Step 3

Configure PIM Bidirectional Neighbor Filters.

Step 4

Configure PIM Rendezvous Points.

Step 5

Configure PIM Route Trees.

Step 6

Configure PIM Request Filters.

Step 7

Configure Multicast Boundary Filters.


Configure PIM Protocol

You can enable or disable PIM on a specific interface.

You can also configure the Designated Router (DR) priority. The DR is responsible for sending PIM register, join, and prune messages to the RP. When there is more than one multicast router on a network segment, choosing the DR is based on the DR priority. If multiple devices have the same DR priority, then the device with the highest IP address becomes the DR. By default, the threat defense device has a DR priority of 1.

Router query messages are used to choose the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. Additionally, every 60 seconds, the threat defense device sends PIM join or prune messages.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Protocol, click Add or Edit.

Use the Add PIM parameters dialog box to add new PIM parameters to the interface. Use the Edit PIM parameters dialog box to change existing parameters.

Step 4

Configure the following options:

  • Interface—From the drop-down list, select the interface for which you want to configure PIM protocol.

  • Enable PIM—Check the check box to enable PIM.

  • DR Priority—The value for the DR for the selected interface. The router with the highest DR priority on the subnet becomes the designated router. Valid values range from 0 to 4294967294. The default DR priority is 1. Setting this value to 0 makes the threat defense device interface ineligible to become the designated router.

  • Hello Interval—The interval in seconds at which the interface sends PIM hello messages. The range is 1 to 3600. The default is 30.

  • Join Prune Interval—The interval in seconds at which the interface sends PIM join and prune advertisements. The range is 10 to 600. The default is 60.

Step 5

Click OK to save the PIM protocol configuration.


Configure PIM Neighbor Filters

You can define the routers that can become PIM neighbors. By filtering the routers that can become PIM neighbors, you can do the following:

  • Prevent unauthorized routers from becoming PIM neighbors.

  • Prevent attached stub routers from participating in PIM.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Neighbor Filter, click Add or Edit.

Use the Add PIM Neighbor Filter dialog box to add new PIM neighbor filters to the interface. Use the Edit PIM Neighbor Filter dialog box to change existing parameters.

Step 4

Configure the following options:

  • From the Interface drop-down list, choose the interface to which you want to add a PIM neighbor filter.

  • Standard Access List— From the Standard Access List drop-down list, choose a standard ACL or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

    Note

     

    Choosing Allow on the Add Standard Access List Entry dialog box lets the multicast group advertisements pass through the interface. Choosing Block prevents the specified multicast group advertisements from passing through the interface. When a multicast boundary is configured on an interface, all multicast traffic is prevented from passing through the interface unless permitted with a neighbor filter entry.

Step 5

Click OK to save the PIM neighbor filter configuration.


Configure PIM Bidirectional Neighbor Filters

A PIM bidirectional neighbor filter is an ACL that defines the neighbor devices that can participate in the Designated Forwarder (DF) election. If a PIM bidirectional neighbor filter is not configured for an interface, there are no restrictions. If a PIM bidirectional neighbor filter is configured, only those neighbors permitted by the ACL can participate in the DF election process.

Bidirectional PIM allows multicast routers to keep reduced state information. All of the multicast routers in a segment must be bidirectionally enabled to elect a DF.

When a PIM bidirectional neighbor filter is enabled, the routers that are permitted by the ACL are considered to be bidirectionally capable. Therefore, the following is true:

  • If a permitted neighbor does not support bidirectional mode, then the DF election does not occur.

  • If a denied neighbor supports bidirectional mode, then the DF election does not occur.

  • If a denied neighbor does not support bidirectional mode, the DF election can occur.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Multicast Routing > PIM.

Step 3

On Bidirectional Neighbor Filter, click Add or Edit.

Use the Add PIM Bidirectional Neighbor Filter dialog box to create ACL entries for the PIM bidirectional neighbor filter ACL. Use the Edit PIM Bidirectional Neighbor Filter dialog box to change existing parameters.

Step 4

Configure the following options:

  • From the Interface drop-down list, select the interface to which you want to configure the PIM bidirectional neighbor filter ACL entry.

  • Standard Access List— From the Standard Access List drop-down list, select a standard ACL or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

    Note

     

    Choosing Allow on the Add Standard Access List Entry dialog box lets the specified devices participate in the DR election process. Choosing Block prevents the specified devices from participating in the DR election process.

Step 5

Click OK to save the PIM bidirectional neighbor filter configuration.


Configure PIM Rendezvous Points

You can configure the threat defense device to serve as a RP to more than one group. The group range specified in the ACL determines the PIM RP group mapping. If an ACL is not specified, then the RP for the group is applied to the entire multicast group range (224.0.0.0/4). See Multicast Bidirectional PIM for more information about bidirectional PIM.

The following restrictions apply to RPs:

  • You cannot use the same RP address twice.

  • You cannot specify All Groups for more than one RP.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Rendezvous Points, click Add or Edit.

Use the Add Rendezvous Point dialog box to create a new entry to the Rendezvous Point table. Use the Edit Rendezvous Point dialog box to change existing parameters.

Step 4

Configure the following options:

  • From the Rendezvous Point IP address drop-down list, choose the IP address that you want to add as an RP or click Add (add icon) to create a new network object. See Creating Network Objects for the procedure.

  • Check the Use bi-directional forwarding check box if the specified multicast groups are to operate in bidirectional mode. In bidirectional mode, if the threat defense device receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a prune message back to the source.

  • Click Use this RP for all Multicast Groups to to use the specified RP for all multicast groups on the interface.

  • Click the Use this RP for all Multicast Groups as specified below to designate the multicast groups to use with the specified RP and then from the Standard Access List drop-down list, choose a standard ACL or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

Step 5

Click OK to save the rendezvous point configuration.


Configure PIM Route Trees

By default, PIM leaf routers join the shortest-path tree immediately after the first packet arrives from a new source. This method reduces delay, but requires more memory than the shared tree. You can configure whether or not the threat defense device should join the shortest-path tree or use the shared tree, either for all multicast groups or only for specific multicast addresses.

The shortest-path tree is used for any group that is not specified in the Multicast Groups table. The Multicast Groups table displays the multicast groups to use with the shared tree. The table entries are processed from the top down. You can create an entry that includes a range of multicast groups, but excludes specific groups within that range by placing deny rules for the specific groups at the top of the table and the permit rule for the range of multicast groups below the deny statements.


Note


This behavior is known as Shortest Path Switchover (SPT). We recommend that you always use the Shared Tree option.


Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Route Tree, select the path for the route tree:

  • Click Shortest Path to use the shortest-path tree for all multicast groups.

  • Click Shared Tree to use the shared tree for all multicast groups.

  • Click Shared tree for below mentioned group to designate the groups specified in the Multicast Groups table, and then from the Standard Access List drop-down list, select a standard ACL or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

Step 4

Click OK to save the route tree configuration.


Configure PIM Request Filters

When the threat defense device is acting as an RP, you can restrict specific multicast sources from registering with it to prevent unauthorized sources from registering with the RP. You can define the multicast sources from which the threat defense device will accept PIM register messages.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Request Filter, define the multicast sources that are allowed to register with the threat defense device when it acts as an RP:

  • From the Filter PIM register messages using: drop-down list select None, Access List, or Route Map.

  • If you choose Access List from the drop-down list, select an extended ACL or click Add (add icon) to create a new extended ACL. See Configure Extended ACL Objects for the procedure.

    Note

     

    In the Add Extended Access List Entry dialog box, select Allow from the drop-down list o create a rule that allows the specified source of the specified multicast traffic to register with the threat defense device, or select Block to create a rule that prevents the specified source of the specified multicast traffic from registering with the device.

  • If you choose Route Map, select a route map from the Route Map drop-down list, or click Add (add icon) to create a new route map. See Creating Network Objects for the procedure.

Step 4

Click OK to save the request filter configuration.


Configure the Secure Firewall Threat Defense Device as a Candidate Bootstrap Router

You can configure the threat defense device as a candidate BSR.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > PIM.

Step 3

On Bootstrap Router, check the Configure this FTD as a Candidate Bootstrap Router (C-BSR) check box to perform the C-BSR setup.

  1. From the Interface drop-down list, select the interface on the threat defense device from which the BSR address is derived to make it a candidate.

    This interface must be enabled with PIM.

  2. In the Hash mask length field, enter the length of a mask (32 bits maximum) that is to be ANDed with the group address before the hash function is called. All groups with the same seed hash (correspond) to the same RP. For example, if this value is 24, only the first 24 bits of the group addresses matter. This fact allows you to get one RP for multiple groups. The range is 0 to 32.

  3. In the Priority field, enter the priority of the candidate BSR. The BSR with the larger priority is preferred. If the priority values are the same, the router with the larger IP address is the BSR. The range is 0 to 255. The default value is 0.

Step 4

(Optional) Click Add (add icon) to select an interface on which no PIM BSR messages will be sent or received in the Configure this FTD as a Border Bootstrap Router (BSR) section.

  • From the Interface drop-down list, select the interface on which no PIM BSR messages will be sent or received.

    RP or BSR advertisements are filtered effectively isolating two domains of RP information exchange.

  • Check the Enable Border BSR check box to enable BSR.

Step 5

Click OK to save the bootstrap router configuration.


Configure Multicast Routes

Configuring static multicast routes lets you separate multicast traffic from unicast traffic. For example, when a path between a source and destination does not support multicast routing, the solution is to configure two multicast devices with a GRE tunnel between them and to send the multicast packets over the tunnel.

When using PIM, the threat defense device expects to receive packets on the same interface where it sends unicast packets back to the source. In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another.

Static multicast routes are not advertised or redistributed.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > Multicast Routes > Add or Edit.

Use the Add Multicast Route Configuration dialog box to add a new multicast route to the threat defense device. Use the Edit Multicast Route Configuration dialog box to change an existing multicast route.

Step 3

From the Source Network drop-down box, choose an existing network or click Add (add icon) to add a new one. See Creating Network Objects for the procedure.

Step 4

To configure an interface to forward the route, click Interface and configure the following options:

  • From the Source Interface drop-down list, choose the incoming interface for the multicast route.

  • From the Output Interface/Dense drop-down list, choose the destination interface that the route is forwarded through.

  • In the Distance field, enter the distance of the multicast route. The range is 0 to 255.

Step 5

To configure an RPF address to forward the route, click Address and configure the following options:

  • In the RPF Address field, enter the IP address for the multicast route.

  • In the Distance field, enter the distance of the multicast route The range is 0 to 255.

Step 6

Click OK to save the multicast routes configuration.


Configure Multicast Boundary Filters

Address scoping defines domain boundary filters so that domains with RPs that have the same IP address do not leak into each other. Scoping is performed on the subnet boundaries within large domains and on the boundaries between the domain and the Internet.

You can set up an administratively scoped boundary filter on an interface for multicast group addresses. IANA has designated the multicast address range from 239.0.0.0 to 239.255.255.255 as the administratively scoped addresses. This range of addresses can be reused in domains administered by different organizations. The addresses would be considered local, not globally unique.

A standard ACL defines the range of affected addresses. When a boundary filter is set up, no multicast data packets are allowed to flow across the boundary from either direction. The boundary filter allows the same multicast group address to be reused in different administrative domains.

You can configure, examine, and filter Auto-RP discovery and announcement messages at the administratively scoped boundary. Any Auto-RP group range announcements from the Auto-RP packets that are denied by the boundary ACL are removed. An Auto-RP group range announcement is permitted and passed by the boundary filter only if all addresses in the Auto-RP group range are permitted by the boundary ACL. If any address is not permitted, the entire group range is filtered and removed from the Auto-RP message before the Auto-RP message is forwarded.

Procedure


Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose Routing > Multicast Routing > Multicast Boundary Filter, and then click Add or Edit.

Use the Add Multicast Boundary Filter dialog box to add new multicast boundary filters to the device. Use the Edit Multicast Boundary Filter dialog box to change existing parameters.

You can configure a multicast boundary for administratively scoped multicast addresses. A multicast boundary restricts multicast data packet flows and enables reuse of the same multicast group address in different administrative domains. When a multicast boundary is defined on an interface, only the multicast traffic permitted by the filter ACL passes through the interface.

Step 3

From the Interface drop-down list, choose the interface for which you are configuring the multicast boundary filter ACL.

Step 4

From the Standard Access List drop-down list, choose the standard ACL you want to use, or click Add (add icon) to create a new standard ACL. See Configure Standard ACL Objects for the procedure.

Step 5

Check the Remove any Auto-RP group range announcement from the Auto-RP packets that are denied by the boundary check box to filter Auto-RP messages from sources denied by the boundary ACL. If this check box is not checked, all Auto-RP messages are passed.

Step 6

Click OK to save the multicast boundary filter configuration.