topic Re: Multicast Packets forwarding in General Topics

Multicast Packets forwarding

JAG — Mon, 25 Feb 2013 15:38:08 GMT

Hi Guys,

Looking for some help!

Quick simplifiy overview of the setup.

PA is the DHCP Server for two subnets:

Subnet A

10.101.0.0/16

Subnet B

10.102.0.0./16

All wireless clients are in subnet A conencted via seperate enterprise Wireless LAn Controller and Apple TVs also connected to the same WLC are in Subnet B. Subnet A and B and in seperate VLANs (VLAN101 and VLAN102)

At the moment no clients can see the Apple TVs as the multicast Bonjour packets are not forwarded between these subnets. Is it possible to make the PA forward these packets between these subnets and then the icing on the cake would be then to use a policy to decided who can communicate with each Apple TV.

Anybody tried anything similiar and can point me in the right direction??

Thanks,

Jaggie

Re: Multicast Packets forwarding

das — Mon, 25 Feb 2013 16:39:55 GMT

You can forward multicast packets by enabling multicast in the virtual router and adding the interfaces in the interfaces tab. Some tweaking may be needed for the interface source/destination - this might help To determine who can communicate with what, I'm guessing you can just add the Apple TV's or TV subnet to an address object and permit/deny access using User-ID or subnets/objects. Depending on if you are L3 or L2 firewalling, this article may help as well

Re: Multicast Packets forwarding

JAG — Mon, 25 Feb 2013 16:50:38 GMT

Hi das,

Thanks for the reply.

I am working in L3.

All the subnets are connected to the same Vrouter and I have added IGMP and PIM on all of the interfaces.

I am a little confused about the "Group Permissions" tab under VR - Multicast - Interface Group - If I leave it balnk does that mean that all Multicast packets will be forwarded between all of the interfaces???

I have then create a policy rule to allow all Multicast traffic though the required zones. I don't seem to see any Multicast traffic on the "Monitor" tab - is this normal?

Thanks,

Jaggie

Re: Multicast Packets forwarding

das — Mon, 25 Feb 2013 16:59:32 GMT

As seen in the guide:

Security policy

PAN-OS provides two methods to enforce security on multicast feeds. Multicast groups can be filtered in the IGMP and PIM group permission settings specified on an interface level. Multicast traffic must also be explicitly allowed by security policy. A special destination zone known as “Multicast” has been added and must be specified to control multicast traffic in security, QoS, and DoS protection rules. In contrast to unicast security policy, multicast security policies must be explicitly created when the source and destination interfaces are in the same zone. Security profiles are supported in multicast environments that require threat prevention capabilities.

Also:

Group Permissions

Specify general rules for multicast traffic:

•	Any Source—Click Add to specify a list of multicast groups for which PIM-SM traffic is permitted.

•	Source-Specific—Click Add to specify a list of multicast group and multicast source pairs for which PIM-SSM traffic is permitted.

Re: Multicast Packets forwarding

BobW — Mon, 25 Feb 2013 19:00:13 GMT

I am also interested in this.

I am curious, however: We are in a similar boat, but instead of messing with the firewall, I just dropped the Apple TV in the appropriate VlAN 101 and called it good. Do you have reason the Apple TVs can not be on VLAN 101?

Thanks,

Bob

Re: Multicast Packets forwarding

JAG — Mon, 25 Feb 2013 19:14:54 GMT

HI Bob,

The reason that the ATVs cannot be in VLAN 101 is two fold:

FIrst of all, we are talking about an eventual 100 odd ATVs and the the ipad will only ever show 9 ( I think this s the correct number) in the list.

second is that as the clients are on an enterprise wireless solution they are in about 16 different buildings, but because they are in the same VLan no matter where they are they end up seeing ATVs that are over 1km away!!!!!

the idea is to separate the ATVs into the separate subnet and VLAN and then create rules in the PA for each ATV. I was then going to make a little app that the user launches and then choose the ATV that they want to see from a list. After submission from the app a server side routine updates the PA via the XML api to allow the users IP to access the ATV.

well at least that is the plan! At the moment I have the clients and the ATV separated but cannot get the interface with the ATVs to forward the multicast packets to the interface with the clients on it.

any ideas for me!?

thanks,

Re: Multicast Packets forwarding

BobW — Mon, 25 Feb 2013 19:29:45 GMT

Not really a Palo Alto related fix, but, I have enabled a multicast filtering option in on my wireless "Drop multicast packets from associated clients". Thus the only units which can see the Apple TVs, must be connected to the same AP. There may be some options like that in the switches as well depending on the switch.

Adding all those rule to the PA sounds like a nightmare!

Hope that helps,

Bob

Re: Multicast Packets forwarding

JAG — Tue, 26 Feb 2013 07:05:20 GMT

Hi das,

I have followed the guides but I am still not getting anything. This is maybe more a question for support but if you havea ny ideas then I would be appreicative.

Thanks,

Re: Multicast Packets forwarding

kbrazil — Wed, 27 Feb 2013 02:17:03 GMT

Hi There,

I could be wrong, but I don't think simple Multicast Routing will accomplish this. This is almost more of a protocol forwarding option, like DHCP forwarding. I haven't done research on this, but I would first google to see if there is a way of accomplishing this with a normal router. If it can be done by configuring Multicast in a certain way then we may be able to do it on the firewall using standard Multicast configuration. If not, broadcasting ATV traffic across L3 boundaries may take some type of proprietary solution, such as protocol (bonjour?) forwarding. Note, that there is a reason why these protocols have broadcast-domain scope - they can be quite chatty, so it may not be in your best interest to break that model.

Cheers,

Kelly

Re: Multicast Packets forwarding

alexander_conn — Thu, 25 Apr 2013 23:29:12 GMT

Hi, I'm not sure if you've got this resolved yet, but I had a very similar requirement to route Multicast traffic between two different networks. I found that we could get multicast sessions working fine from our Cisco switches, but when it needed to be routed, it wouldn't work. After going through the switch logs, it became apparent that the default IGMP query interval on the switches and the PA firewall are different. It was 60 seconds on the switches and 125 seconds on the firewall. These query intervals need to be synchronous for it to work. After setting it to 60 seconds on the firewall, I could get multicast sessions working over different networks, routed by the firewall.

I took the example they gave here: https://live.paloaltonetworks.com/docs/DOC-4197 which is designed for multcasting between two PA firewalls and re-accomodated it for multicast routing on just 1 firewall.