Multicast Routing with Layer3 switch and Palo Alto Firewall

joshik · ‎05-08-2024

I don't deploy multicast often so I wanted to ask about MC configs as a sanity check.

I have two Palo FWs each with a layer3 interface/gateway for separate servers. The FWs are two L3 hops away from each other. There are two L3 Catalyst 9300 switches between the two FWs.

SERVER1-->VLAN100 Gateway-->FW1-->VLAN 10 transit-->CORE1-->VLAN 40 transit-->CORE2-->VLAN 20 transit-->FW2-->VLAN200 Gateway-->SERVER 2

(all unicast routes are learned via OSPF between all devices)

So Server 1 and Server 2 need to talk to each other using multicast. Would it be as simple as just:

1. enabling multicast routing on COREs

2. configuring PIM sparse mode on the VLAN 10 and VLAN 40 on CORE1 and VLAN 40 and VLAN 20 on CORE2

3. Configure a Loopback as a BSR on CORE1 (non Cisco cant use Auto-RP?)

4. IGMP enabled by default on the above Layer3 VLANs on CORE1 and CORE2

5. Configure the FW1 VLAN 100 and VLAN 10 for PIM

6. Configure the FW2 VLAN 200 and VLAN 20 for PIM

7. Will the FWs learn the RP through BSR or would I need to manually configure the RP Loopback address on CORE1?

Thoughts? thx!

Georg Pauwen · ‎05-09-2024

Hello,

in order to visualize what your topology looks like, post a schematic drawing showing how your devices are physically and logically connected...

joshik · ‎05-09-2024

Hi

Here is a logical diagram. thx!!

paul driver · ‎05-09-2024

Hello
based on your OP suggest you enable MC routing & pin SSM globally- then pim sparse mode on all L3 svi /routed interfaces between hosts

Lastly Igmpv3 on the svi/l3 interface(s) facing the host subnet.
The PAs by default support igmpv3 so all good and no need then for any RP placement either.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joshik · ‎05-09-2024

Thanks for the reply!

I wouldn't need to configure an RP interface and RP related configs on the Core switches or the Palos?

Also, when you say "Lastly Igmpv3 on the svi/l3 interface(s) facing the host subnet." Do you mean on CORE 1 VLAN 10 and VLAN 40 and CORE2 VLAN 40 and VLAN 20 add "ip igmp version 3" and of course "ip pim sparse-mode"?

Thx!

paul driver · ‎05-10-2024

Hello
aplogies i didn’t realise you had shared a topology-
Igmpv3 on svi 100/200 as that looks like your host subnets

Yes -ip pim ssm no requirement for any RP

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joshik · ‎05-13-2024

Do the endpoints need to be able to support IGMPV3 or have any specific configuration for SSM or would they just work as long as the network is configured for SSM and IGMPV3?

The endpoints would be on VLAN 100 and VLAN 200. Both workstations and some servers. Mainly the workstations would need to communicate to either servers on VLAN 100 and VLAN 200 via multicast.