Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:multicast [2022/08/01 11:12] – bstafford
+++ paloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 7: / Line 7: @@
   * 224.0.0.0/4 - Multicast IP Range
     * 224.0.0.0/24 - Link Local multicast
+      * 224.0.0.5 OSPF - to send information to all OSPF routers
+      * 224.0.0.6 OSPF - to send information to DR/BDR routers.
       * 224.0.0.13 PIMv2
       * 224.0.0.18 VRRP
       * 224.0.0.22 IGMPv3
+      * 224.0.0.251 mDNS (udp5353)
     * 224.0.1.0/24 - Reserved for specific applications
     * 232.0.0.0/8 - Source Specific Multicast (SSM)
     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918
+The IPv4 multicast addresses used for OSPF are
 When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation.
@@ Line 22: / Line 25: @@
 ===== VWire =====
 Multicast traffic will only be visible in the traffic logs if you tick "Multicast Firewalling" on the Virtual Wire options. The source and destination zones are the vwire source and destination zone. (i.e. it doesn't use the 'multicast' zone). If you don't tick "Multicast Firewalling", multicast traffic will still flow through the Vwire but there will be no logs.
-===== VLAN Inseration =====
+===== VLAN Insertion =====
 This is where VLAN interfaces are used to insert the firewall into a single subnet where we can't change the endpoint IP addresses but we can cause the traffic to flow through the firewalls.
   * Multicast does work through VLAN insertion.
@@ Line 36: / Line 39: @@
+**However**
+You can enforce Multicast traffic rules.
+  * Select a free IP address on the subnet being segmented.
+  * Create a blank virtual router.
+  * Create a Layer3 security zone.
+  * Create a VLAN Interface (Network > Interfaces > VLAN). Set the VLAN to be the same VLAN that the Layer2 interfaces are assigned to. Set the Virtual Router you just created. Select the layer 3 security zone you created.
+  * Create a security policy that allows the Layer3 security zone to the "multicast" zone (drop down list in destination zone in security policy rule).
+  * On the new virtual router in the Multicast settings configure
+    * Rendezvous Point Tab (without this config, there will be no logs)
+      * Enable - True
+      * RP Type - Static
+      * RP Interface - <VLAN Interface>
+      * RP Address - <IP of VLAN Interface>
+      * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic.
+      * Interfaces Tab (without this config, there will be no logs)
+        * Add a group
+          * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM
+  * Commit.
+Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.
+  * show routing multicast fib
+  * show routing multicast route source 234.5.6.7
+  * show routing multicast igmp membership interface vlan.11
+  * show routing multicast route virtual-router vr1
 ===== Lab =====