PIM Source Specific Multicast Support

The Firewall Threat Defense device does not support PIM Source Specific Multicast (SSM) functionality and related configuration. However, the Firewall Threat Defense device allows SSM-related packets to pass through unless it is placed as a last-hop router.

SSM is classified as a data delivery mechanism for one-to-many applications such as IPTV. The SSM model uses a concept of "channels" denoted by an (S,G) pair, where S is a source address and G is an SSM destination address. Subscribing to a channel is achieved by using a group management protocol such as IGMPv3. SSM enables a receiving client, once it has learned about a particular multicast source, to receive multicast streams directly from the source rather than receiving it from a shared Rendezvous Point (RP). Access control mechanisms are introduced within SSM providing a security enhancement not available with current sparse or sparse-dense mode implementations.

PIM-SSM differs from PIM-SM in that it does not use an RP or shared trees. Instead, information on source addresses for a multicast group is provided by the receivers through the local receivership protocol (IGMPv3) and is used to directly build source-specific trees.

Guidelines

  • You must add a Layer 3 device that supports SSM multicast between ASA and receivers.

  • Enable SSM multicast and IGMPv3 on the Layer 3 device.

  • You must configure ASA to forward the multicast traffic.

  • Add a Layer 3 device that supports PIM and IGMPv3 on the segment with the receivers. Receivers register with this Layer 3 device, and these devices send PIM messages to ASA, allowing a dynamic multicast route to be installed in ASA's multicast route table.

Limitations

  • ASA does not support the SSM multicast routing and does not participate in PIM routing (no PIM neighbors, no IGMP proxy, no multicast tree building).

  • Even if you configure a static multicast route, ASA does not have the capability to join multicast groups or maintain IGMP state for receivers.

  • ASA does not support IGMPv3.

  • A static multicast route on ASA does not work for the SSM range.

  • The IGMP proxy on ASA does not support IGMPv3, so the multicast tree (SSM path) cannot be built to the receiver, and no traffic reaches the receiver. However, if ASA is in the path and is not the last-hop between source and receiver, it can forward SSM traffic because other routers handle multicast routing and ASA simply passes the traffic through. You must ensure ASA receives a multicast route through PIM from another device. Then, forwarding of SSM range multicast works.