paloaltonetworks:configuration:multicast
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| paloaltonetworks:configuration:multicast [2022/08/01 11:12] – bstafford | paloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 7: | Line 7: | ||
| * 224.0.0.0/4 - Multicast IP Range | * 224.0.0.0/4 - Multicast IP Range | ||
| * 224.0.0.0/ | * 224.0.0.0/ | ||
| + | * 224.0.0.5 OSPF - to send information to all OSPF routers | ||
| + | * 224.0.0.6 OSPF - to send information to DR/BDR routers. | ||
| * 224.0.0.13 PIMv2 | * 224.0.0.13 PIMv2 | ||
| * 224.0.0.18 VRRP | * 224.0.0.18 VRRP | ||
| * 224.0.0.22 IGMPv3 | * 224.0.0.22 IGMPv3 | ||
| + | * 224.0.0.251 mDNS (udp5353) | ||
| * 224.0.1.0/ | * 224.0.1.0/ | ||
| * 232.0.0.0/8 - Source Specific Multicast (SSM) | * 232.0.0.0/8 - Source Specific Multicast (SSM) | ||
| * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918 | * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918 | ||
| + | The IPv4 multicast addresses used for OSPF are | ||
| When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. | When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. | ||
| Line 36: | Line 39: | ||
| + | **However** | ||
| + | |||
| + | You can enforce Multicast traffic rules. | ||
| + | * Select a free IP address on the subnet being segmented. | ||
| + | * Create a blank virtual router. | ||
| + | * Create a Layer3 security zone. | ||
| + | * Create a VLAN Interface (Network > Interfaces > VLAN). Set the VLAN to be the same VLAN that the Layer2 interfaces are assigned to. Set the Virtual Router you just created. Select the layer 3 security zone you created. | ||
| + | * Create a security policy that allows the Layer3 security zone to the " | ||
| + | * On the new virtual router in the Multicast settings configure | ||
| + | * Rendezvous Point Tab (without this config, there will be no logs) | ||
| + | * Enable - True | ||
| + | * RP Type - Static | ||
| + | * RP Interface - <VLAN Interface> | ||
| + | * RP Address - <IP of VLAN Interface> | ||
| + | * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic. | ||
| + | * Interfaces Tab (without this config, there will be no logs) | ||
| + | * Add a group | ||
| + | * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM | ||
| + | * Commit. | ||
| + | |||
| + | Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic. | ||
| + | |||
| + | * show routing multicast fib | ||
| + | * show routing multicast route source 234.5.6.7 | ||
| + | * show routing multicast igmp membership interface vlan.11 | ||
| + | * show routing multicast route virtual-router vr1 | ||
| ===== Lab ===== | ===== Lab ===== | ||
paloaltonetworks/configuration/multicast.1659352348.txt.gz · Last modified: (external edit)