FortiGate Multicast Tech Note 01-400-96951-20090521

FortiGate Multicast
Version 4.0
Technical note
Visit http://support.fortinet.com to register your FortiGate Multicast product. By registering you can receive product updates, technical support, and FortiGuard services.
FortiGate Multicast Technical note Version 4.0 21 May 2009 01-400-96951-20090521 Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ........................................................................................ 5
Revision history................................................................................................. 5 About FortiGate multicast................................................................................. 5 About this document......................................................................................... 5 Fortinet documentation .................................................................................... 6 Fortinet Tools and Documentation CD .......................................................... 6 Fortinet Knowledge Center .......................................................................... 6 Comments on Fortinet technical documentation .......................................... 6 Customer service and technical support ........................................................ 6 Register your Fortinet product......................................................................... 6
FortiGate multicast forwarding......................................................... 7

Multicast IP addresses ...................................................................................... 7 Multicast forwarding and FortiGate units........................................................ 8 Multicast forwarding and RIPv2 .................................................................... 8 Configuring FortiGate multicast forwarding ................................................... 9 Adding multicast firewall policies................................................................. 10 Enabling multicast forwarding ..................................................................... 11
Configuring FortiGate multicast routing........................................ 13

config router multicast.................................................................................... 13 Sparse mode ............................................................................................... Dense mode................................................................................................ Command syntax pattern ............................................................................ config router multicast ................................................................................. config interface ............................................................................................ config pim-sm-global ................................................................................... 13 14 14 16 17 19
Multicast routing examples............................................................. 23

Example FortiGate PIM-SM configuration using a static RP ....................... 24 Configuration steps ..................................................................................... 24 FortiGate PIM-SM debugging examples ........................................................ 28 Checking that the receiver has joined the required group........................... Checking the PIM-SM neighbors ................................................................ Checking that the PIM router can reach the RP.......................................... Viewing the multicast routing table (FGT-3) ................................................ Viewing the PIM next-hop table .................................................................. Viewing the PIM multicast forwarding table ................................................ Viewing the kernel forwarding table ............................................................ Viewing the multicast routing table (FGT-2) ................................................ Viewing the multicast routing table (FGT-1) ................................................ 29 29 30 30 31 31 32 32 33
FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback
Contents
Example multicast destination NAT (DNAT) configuration.......................... 34 Example PIM configuration that uses BSR to find the RP ........................... 36 Commands used in this example................................................................. 37 Configuration steps...................................................................................... 39 Example debug commands ......................................................................... 45
Introduction
Revision history
Introduction
This chapter introduces you to FortiGate multicast support for FortiOS v3.0 and the following topics: Revision history About FortiGate multicast About this document Fortinet documentation Customer service and technical support Register your Fortinet product
Revision history
Version 01-400-96951-20090521 01-30005-0426-20070914 Description of changes Update for FortiGate 4.0 including template change, diagram updates, feature and command updates. Initial version. The initial version contains basic information about FortiGate v3.0 MR5 multicast support plus a number of PIM routing examples.
About FortiGate multicast

You can use multicasting (also called IP multicasting) to cause a source to send data to many receivers simultaneously, conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on. Also RIPv2 uses multicast to share routing table information. This document describes how to configure FortiGate units to forward multicast packets and how to use FortiGate units as multicast routers.
About this document

This document provides some basic information about multicasting, describes FortiGate multicast support and contains a number of FortiGate multicast examples. This document contains the following chapters: FortiGate multicast forwarding describes the basics of FortiGate multicast forwarding in NAT and Transparent modes. This chapter also describes multicast firewall policies and how to enable multicast forwarding. Configuring FortiGate multicast routing describes using the config router multicast CLI command to configure FortiGate units to act as multicast routers. Multicast routing examples describes multicast routing configuration examples and also contains information about displaying multicast routing debug information
Fortinet documentation
Introduction
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Tools and Documentation CD

All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to [email protected].
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.
Register your Fortinet product

You must register your Fortinet product to receive Fortinet customer services such as product updates and technical support. You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam. Register your product by visiting http://support.fortinet.com and selecting Product Registration. To register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased. You can register multiple Fortinet products in a single session without re-entering your contact information.
FortiGate multicast forwarding
Multicast IP addresses

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers. Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on. Also RIPv2 uses multicasting to share routing table information. A multicast network typically consists of one or more multicast sources and one or more multicast receivers. Multicast sources send multicast packets and multicast receivers receive multicast packets. Usually there are various network components in between the sources and the receivers. These network components may just forward multicast packets or they may route multicast packets. Network components that route multicast packets are multicast routers. Using a multicast router means that the source only needs to transmit a single stream of data to the multicast router. The multicast router routes the data to the receivers. The receivers can be single receivers or can be part off a multicast group. The multicast router makes decisions about how to route the packets to receivers and multicast groups. Typically the multicast router makes routing decisions based on the source and destination addresses of the multicast packets. The multicast router can also apply network address translation (NAT) to multicast packets. This chapter describes configuring FortiGate units to forward multicast traffic and contains the following sections: Multicast IP addresses Multicast forwarding and FortiGate units Configuring FortiGate multicast forwarding
FortiGate units operating in NAT/Route mode can also be configured as multicast routers. You can configure a FortiGate unit to be a Protocol Independent Multicast (PIM) router operating in Sparse Mode (SM) or Dense Mode (DM). Configuring a FortiGate unit for multicast routing is described in Configuring FortiGate multicast routing on page 13. For multicast routing configuration examples, see Multicast routing examples on page 23.
Multicast IP addresses
Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. Table 1 lists reserved multicast address ranges and describes what they are reserved for:
Multicast forwarding and FortiGate units
Table 1: Reserved Multicast address ranges Reserved Address Range 224.0.0.0 to 224.0.0.255 Use Notes
Used for network protocols on local In this range, packets are not forwarded networks. For more information, see by the router but remain on the local RFC 1700. network. They have a Time to Live (TTL) of 1. These addresses are used for communicating routing information. Global addresses used for multicasting data between organizations and across the Internet. For more information, see RFC 1700. Limited scope addresses used for local groups and organizations. For more information, see RFC 2365. Some of these addresses are reserved, for example, 224.0.1.1 is used for Network Time Protocol (NTP).
224.0.1.0 to 238.255.255.255
239.0.0.0 to 239.255.255.255
Routers are configured with filters to prevent multicasts to these addresses from leaving the local system.
Multicast forwarding and FortiGate units

In both Transparent mode and NAT/Route mode you can configure FortiGate units to forward multicast traffic. For a FortiGate unit to forward multicast traffic you must add FortiGate multicast firewall policies. Basic multicast firewall policies accept any multicast packets at one FortiGate interface and forward the packets out another FortiGate interface. You can also use multicast firewall policies to be selective about the multicast traffic that is accepted based on source and destination address, and to perform NAT on multicast packets. In the example shown in Figure 1, a multicast source on the Marketing network with IP address 192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At the FortiGate unit, the source IP address for multicast packets originating from workstation 192.168.5.18 is translated to 192.168.18.10. In this example, the FortiGate unit is not acting as a multicast router.
Multicast forwarding and RIPv2

RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed on a network that includes RIPv2 routers, you must configure the FortiGate unit to forward multicast packets so that RIPv2 devices can share routing data through the FortiGate unit. No special FortiGate configuration is required to share RIPv2 data, you can simply use the information in the following sections to configure the FortiGate unit to forward multicast packets.
Note: RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets through a FortiGate unit you can add standard firewall policies. Firewall policies to accept RIPv1 packets can use the ANY predefined firewall service or the RIP predefined firewall service.
Configuring FortiGate multicast forwarding
Figure 1: Example multicast network including a FortiGate unit that forwards multicast packets
Receiver_1 Receiver_3 Members of Multicast Group Receiver_2 Receiver_4 239.168.4.0
Internet
FortiGate-800 internal IP: 192.168.5.1 external IP: 172.20.20.10 DMZ IP: 192.168.6.1 Marketing 192.168.5.0/24
Multicast Forwarding Enabled Source address: 192.168.5.18 Source interface: internal Destination address: 239.168.4.0 Destination interface: external NAT IP: 192.168.18.10
Sender on the Marketing network at IP address 192.168.5.18 multicasts to IP address 239.168.4.0
Development 192.168.6.0/24

You configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two steps are required: Adding multicast firewall policies Enabling multicast forwarding This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast policy enables multicast forwarding.
Note: For most FortiOS v3.0 maintenance releases you do not have to enable multicast forwarding in Transparent mode.
Adding multicast firewall policies

You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast firewall policies. You add multicast firewall policies from the CLI using the config firewall multicast-policy command. As with unicast firewall policies, you specify the source and destination interfaces and optionally the allowed address ranges for the source and destination addresses of the packets. You can also use multicast firewall policies to configure source NAT and destination NAT for multicast packets. Keep the following in mind when configuring multicast firewall policies: The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address. Source and Destination interfaces are optional. If left blank, then the multicast will be forwarded to ALL interfaces. Source and Destination addresses are optional. If left un set, then it will mean ALL addresses. The nat keyword is optional. Use it when source address translation is needed.
Command syntax pattern

config firewall multicast-policy edit <id_integer> set action <accept | deny> set dnat <address> set dstaddr <address_ipv4mask> set dstintf <name_str> set nat <address_ipv4> set srcaddr <address_ipv4mask> set srcintf <name_str> set protocol <integer> set start-port <integer> set end-port <integer> end
Keywords and variables id_integer action <accept | deny> dnat <address> Description The unique ID number of this multicast policy. Enter the policy action. Translate externally received multicast destination addresses to addresses that conform to your organization's internal addressing policy. Default No default accept 0.0.0.0
dstaddr <address_ipv4mask> dstintf <name_str> nat <address_ipv4> srcaddr <address_ipv4mask> srcintf <name_str>
Enter the destination IP address and netmask to match 0.0.0.0 against multicast NAT packets. 0.0.0.0 Enter the destination interface name to match against multicast NAT packets. Enter the IP address to substitute for the original source IP address. Enter the source IP address and netmask to match against multicast NAT packets. Enter the source interface name to match against multicast NAT packets. No default. 0.0.0.0 0.0.0.0 0.0.0.0 No default.
10
Keywords and variables protocol <integer> start-port <integer> end-port <integer>
Description Limit the number of protocols (services) sent out via multicast using the Fortigate. The beginning of the port range used for multicast. The end of the port range used for multicast.
Default No default No default No default
Example
This example shows how to configure the multicast firewall policy required for the configuration shown in Figure 1 on page 9. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10 config firewall multicast-policy edit 5 set srcaddr 192.168.5.18 255.255.255.255 set srcintf internal set destaddr 239.168.4.0 255.255.255.0 set dstintf external set nat 192.168.18.10 end This example shows how to configure a multicast firewall policy so that the FortiGate unit forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ interface. config firewall multicast-policy edit 1 set srcintf DMZ set srcaddr 10.10.10.10 255.255.255.255 set dstintf Internal set dstaddr 225.1.1.1 255.255.255.255 set action accept edit 2 set action deny end
Enabling multicast forwarding

Multicast forwarding is disabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable multicast forwarding. When multicastforward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add firewall policies to actually allow multicast packets through the FortiGate. In our example, the firewall policy allows multicast packets received by the internal interface to exit to the external interface.
Note: Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast policy enables multicast forwarding.
Enter the following CLI command to enable multicast forwarding: config system settings set multicast-forward enable end
11
If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses. You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router. config system settings set multicast-ttl-notchange enable end
12
Configuring FortiGate multicast routing
config router multicast

This chapter contains a copy of the description of the config router multicast CLI command. You use the config router multicast command to configure the FortiGate unit to act as a Protocol Independent Multicast (PIM) version 2 router. The FortiGate web-based manager you can go to Router > Dynamic > Multicast to configure basic PIM options. From the web-based manager you can configure sparse mode or dense mode operation on any FortiGate interface. For information about the web-based manager PIM options, see the web-based manager online help or the FortiGate Administration Guide.

A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. Multicast routing is only available in the root virtual domain. It is not supported in Transparent mode (TP mode).
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points (RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured.
Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to which each RP sends the multicast address or addresses of the multicast group(s) that it can service. The selected BSR chooses one RP per multicast group and makes this information available to all of the PIM routers in the domain through bootstrap messages. PIM routers use the information to build packet distribution trees, which map each multicast group to a specific RP. Packet distribution trees may also contain information about the sources and receivers associated with particular multicast groups.
Note: When a FortiGate interface is configured as a multicast interface, sparse mode is enabled on it by default to ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from a specific source. If the sources of multicast traffic and their receivers are close to each other and the PIM domain contains a dense population of active receivers, you may choose to enable dense mode throughout the PIM domain instead.
13
An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and pruning the information contained in distribution trees, a single stream of multicast packets (for example, a video feed) originating from the source can be forwarded to a certain RP to reach a multicast destination. Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB. To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally elected DR registers the sender with the RP that is associated with the target multicast group. The RP uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast group. The IP packets are replicated only when necessary to distribute the data to branches of the RPs distribution tree. To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP) version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a particular multicast group. The locally elected DR receives the request and adds the host to the multicast group that is associated with the connected network segment by sending a join message towards the RP for the group. Afterward, the DR queries the hosts on the connected network segment continually to determine whether the hosts are active. When the DR no longer receives confirmation that at least one member of the multicast group is still active, the DR sends a prune message towards the RP for the group.
Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers that have requested traffic for multicast group address G can access the information if needed. To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages from downstream PIM routers to determine if receivers are actually present on directly connected network segments. The PIM routers exchange state refresh messages to update their distribution trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to build a multicast forwarding table. The information in the multicast forwarding table determines whether packets are forwarded downstream. The forwarding table is updated whenever the TIB is modified. PIM routers receive data streams every few minutes and update their forwarding tables using the source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is stopped by PIM routers that do not have downstream receiversPIM routers that do not manage multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic for multicast address G, the closest PIM router sends a graft message upstream to begin receiving multicast packets.
Command syntax pattern

config router multicast set igmp-state-limit <limit_integer> set multicast-routing {enable | disable} set route-limit <limit_integer> set route-threshold <threshold_integer> config interface edit <interface_name> set cisco-exclude-genid {enable | disable} set dr-priority <priority_integer> set hello-holdtime <holdtime_integer> set hello-interval <hello_integer> set neighbour-filter <access_list_name>
14
set passive {enable | disable} set pim-mode {sparse-mode | dense-mode} set propagation-delay <delay_integer> set rp-candidate {enable | disable} set rp-candidate-group <access_list_name> set rp-candidate-interval <interval_integer> set rp-candidate-priority <priority_integer> set state-refresh-interval <refresh_integer> set ttl-threshold <ttl_integer> end config join-group edit address <address_ipv4> end config igmp set access-group <access_list_name> set immediate-leave-group <access_list_name> set last-member-query-count <count_integer> set last-member-query-interval <interval_integer> set query-interval <interval_integer> set query-max-response-time <time_integer> set query-timeout <timeout_integer> set router-alert-check { enable | disable } set version {1 | 2 | 3} end end config pim-sm-global set accept-register-list <access_list_name> set bsr-allow-quick-refresh {enable | disable} set bsr-candidate {enable | disable} set bsr-priority <priority_integer> set bsr-interface <interface_name> set bsr-hash <hash_integer> set cisco-crp-prefix {enable | disable} set cisco-ignore-rp-set-priority {enable | disable} set cisco-register-checksum {enable | disable} set cisco-register-checksum-group <access_list_name> set message-interval <interval_integer> set register-rate-limit <rate_integer> set register-rp-reachability {enable | disable} set register-source {disable | interface | ip-address} set register-source-interface <interface_name> set register-source-ip <address_ipv4> set register-suppression <suppress_integer> set rp-register-keepalive <keepalive_integer> set spt-threshold {enable | disable} set spt-threshold-group <access_list_name> set ssm {enable | disable} set ssm-range <access_list_name> config rp-address edit <rp_id> set ip-address <address_ipv4> set group <access_list_name> end end
15

You can configure a FortiGate unit to support PIM using the config router multicast CLI command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping information and if required, processes the multicast traffic associated with specific multicast groups.
Note: The end-user multicast client-server applications must be installed and configured to initiate Internet connections and handle broadband content such as audio/video information.
Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user could type in a class D multicast group address, an alias for the multicast group address, or a callconference number to initiate the session. Rather than sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM-enabled routers encapsulate the data and use the one multicast group address to forward multicast packets to multiple destinations. Because one destination address is used, a single stream of data can be sent. Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be delivered to them end-users may use phone books, a menu of ongoing or future sessions, or some other method through a user interface to select the address of interest. A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D addresses must be assigned in advance. Because there is no way to determine in advance if a certain multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch to a different multicast address). To configure a PIM domain 1 If you will be using sparse mode, determine appropriate paths for multicast packets. 2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing protocol. 3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs, record the IP addresses of the PIM-enabled interfaces on those RPs. 4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units, use the config router multicast command to set global operating parameters. 5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate BSRs. 6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs. 7 If required, adjust the default settings of PIM-enabled interface(s).
Note: All keywords are optional.
Variables igmp-state-limit <limit_integer>
Description
Default
If memory consumption is an issue, specify a limit on the 3200 number of IGMP states (multicast memberships) that the FortiGate unit will store. The value represents the maximum combined number of IGMP states (multicast memberships) that can be handled by all interfaces. Traffic associated with excess IGMP membership reports is not delivered. The range is from 96 to 64 000. Enable or disable PIM routing. disable
multicast-routing {enable | disable}
16
Variables route-limit <limit_integer> route-threshold <threshold_integer>
Description
Default
If memory consumption is an issue, set a limit on the number 214748367 of multicast routes that can be added to the FortiGate routing 4 table. The range is from 1 to 2 147 483 674. Specify the number of multicast routes that can be added to 214748367 the FortiGate routing table before a warning message is 4 displayed. The route-threshold value must be lower than the route-limit value. The range is from 1 to 2 147 483 674.
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation (sparse or dense). Global settings do not override interface-specific settings.
Note: All keywords are optional.
Variables edit <interface_name> cisco-exclude-genid {enable | disable}
Description Enter the name of the FortiGate interface on which to enable PIM protocols.
Default No default.
This keyword applies only when pim-mode is sparse-mode. disable Enable or disable including a generation ID in hello messages sent to neighboring PIM routers. A GenID value may be included for compatibility with older Cisco IOS routers. This keyword applies only when pim-mode is sparse-mode. 1 Assign a priority to FortiGate DR candidacy. The range is from 1 to 4 294 967 294. The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected. Specify the amount of time (in seconds) that a PIM neighbor 105 may consider the information in a hello message to be valid. The range is from 1 to 65 535. If the hello-interval attribute is modified and the helloholdtime attribute has never been set explicitly, the helloholdtime attribute is set to 3.5 x hello-interval automatically. Set the amount of time (in seconds) that the FortiGate unit 30 waits between sending hello messages to neighboring PIM routers. The range is from 1 to 65 535. Changing the hellointerval attribute may update the hello-holdtime attribute automatically. Establish or terminate adjacency with PIM neighbors having the IP addresses given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. Enable or disable PIM communications on the interface without affecting IGMP communications. Select the PIM mode of operation: Select sparse-mode to manage PIM packets through distribution trees and multicast groups. Select dense-mode to enable multicast flooding. Null.
dr-priority <priority_integer>
hello-holdtime <holdtime_integer>
hello-interval <hello_integer>
neighbour-filter <access_list_name>
passive {enable | disable} pim-mode {sparse-mode | dense-mode}
disable sparsemode
17
Variables propagation-delay <delay_integer>
Description
Default
This keyword is available when pim-mode is set to 500 dense-mode. Specify the amount of time (in milliseconds) that the FortiGate unit waits to send prune-override messages. The range is from 100 to 5 000. This keyword is available when pim-mode is set to disable sparse-mode. Enable or disable the FortiGate interface to offer Rendezvous Point (RP) services. This keyword is available when rp-candidate is set to Null. enable and pim-mode is set to sparse-mode. Specify for which multicast groups RP candidacy is advertised based on the multicast group prefixes given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. This keyword is available when rp-candidate is set to enable and pim-mode is set to sparse-mode. Set the amount of time (in seconds) that the FortiGate unit waits between sending RP announcement messages. The range is from 1 to 16 383. 60
rp-candidate {enable | disable}
rp-candidate-group <access_list_name>
rp-candidate-interval <interval_integer>
rp-candidate-priority <priority_integer>
This keyword is available when rp-candidate is set to 192 enable and pim-mode is set to sparse-mode. Assign a priority to FortiGate RP candidacy. The range is from 0 to 255. The BSR compares the value to that of other RP candidates that can service the same multicast group, and the router having the highest RP priority is selected to be the RP for that multicast group. If two RP priority values are the same, the RP candidate having the highest IP address on its RP interface is selected. This keyword is available when pim-mode is set to 60 dense-mode. This attribute is used when the FortiGate unit is connected directly to the multicast source. Set the amount of time (in seconds) that the FortiGate unit waits between sending staterefresh messages. The range is from 1 to 100. When a staterefresh message is received by a downstream router, the prune state on the downstream router is refreshed. Specify the minimum Time-To-Live (TTL) value (in hops) that an outbound multicast packet must have in order to be forwarded from the interface. Specifying a high value (for example, 195) prevents PIM packets from being forwarded through the interface. The range is from 0 to 255. Cause the FortiGate interface to activate (IGMP join) the multicast group associated with the specified multicast group address. Specify which multicast groups hosts on the connected network segment may join based on the multicast addresses given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. 1
state-refresh-interval <refresh_integer>
ttl-threshold <ttl_integer>
config join-group variables edit address <address_ipv4> config igmp variables access-group <access_list_name> Null. No default.
immediate-leave-group <access_list_name>
This keyword applies when version is set to 2 or 3. Null. Configure a FortiGate DR to stop sending traffic and IGMP queries to receivers after receiving an IGMP version 2 groupleave message from any member of the multicast groups identified in the specified access list. For more information, see access-list in the FortiGate CLI Reference.
18
Variables last-member-query-count <count_integer>
Description This keyword applies when version is set to 2 or 3. Specify the number of times that a FortiGate DR sends an IGMP query to the last member of a multicast group after receiving an IGMP version 2 group-leave message. This keyword applies when version is set to 2 or 3. Set the amount of time (in milliseconds) that a FortiGate DR waits for the last member of a multicast group to respond to an IGMP query. The range is from 1000 to 25 500. If no response is received before the specified time expires and the FortiGate DR has already sent an IGMP query lastmember-query-count times, the FortiGate DR removes the member from the group and sends a prune message to the associated RP.
Default 2
last-member-queryinterval <interval_integer>
1000
query-interval <interval_integer> query-max-response-time <time_integer>
Set the amount of time (in seconds) that a FortiGate DR waits 125 between sending IGMP queries to determine which members of a multicast group are active. The range is from 1 to 65 535. Set the maximum amount of time (in seconds) that a FortiGate DR waits for a member of a multicast group to respond to an IGMP query. The range is from 1 to 25. If no response is received before the specified time expires, the FortiGate DR removes the member from the group. 10
query-timeout <timeout_integer>
Set the amount of time (in seconds) that must expire before a 255 FortiGate unit begins sending IGMP queries to the multicast group that is managed through the interface. The range is from 60 to 300. A FortiGate unit begins sending IGMP queries if it does not receive regular IGMP queries from another DR through the interface. Enable to require the Router Alert option in IGMP packets. disabled
router-alert-check { enable | disable } version {1 | 2 | 3}
Specify the version number of IGMP to run on the interface. 3 The value can be 1, 2, or 3. The value must match the version used by all other PIM routers on the connected network segment.
config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not override interface-specific PIM settings. If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by specifying the IP address of the RP through the config rp-address subcommand. The IP address must be directly accessible to the DR. If multicast packets from more than one multicast group can pass through the same RP, you can use an access list to specify the associated multicast group addresses.
Note: To send multicast packets to a particular RP using the config rp-address subcommand, the ip-address keyword is required. All other keywords are optional. Variables accept-register-list <access_list_name> Description Cause a FortiGate RP to accept or deny register packets from the source IP addresses given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. Enable or disable accepting bsr quick refresh packets from neighbors. Default Null.
bsr-allow-quick-refresh {enable | disable}
disable
19
Variables bsr-candidate {enable | disable} bsr-priority <priority_integer>
Description
Default
Enable or disable the FortiGate unit to offer its services as a Boot disable Strap Router (BSR) when required. This keyword is available when bsr-candidate is set to 0 enable. Assign a priority to FortiGate BSR candidacy. The range is from 0 to 255. The value is compared to that of other BSR candidates and the candidate having the highest priority is selected to be the BSR. If two BSR priority values are the same, the BSR candidate having the highest IP address on its BSR interface is selected. This keyword is available when bsr-candidate is set to Null. enable. Specify the name of the PIM-enabled interface through which the FortiGate unit may announce BSR candidacy. This keyword is available when bsr-candidate is set to 10 enable. Set the length of the mask (in bits) to apply to multicast group addresses in order to derive a single Rendezvous Point (RP) for one or more multicast groups. The range is from 0 to 32. For example, a value of 24 means that the first 24 bits of the group address are significant. All multicast groups having the same seed hash belong to the same RP. Enable or disable a FortiGate RP that has a group prefix number disable of 0 to communicate with a Cisco BSR. You may choose to enable the attribute if required for compatibility with older Cisco BSRs. Enable or disable a FortiGate BSR to recognize Cisco RP-SET priority values when deriving a single RP for one or more multicast groups. You may choose to enable the attribute if required for compatibility with older Cisco RPs. disable
bsr-interface <interface_name>
bsr-hash <hash_integer>
cisco-crp-prefix {enable | disable}
cisco-ignore-rp-setpriority {enable | disable}
cisco-register-checksum {enable | disable}
Enable or disable performing a register checksum on entire PIM disable packets. A register checksum is performed on the header only by default. You may choose to enable register checksums on the whole packet for compatibility with older Cisco IOS routers. This keyword is available when cisco-register-checksum Null. is set to enable. Identify on which PIM packets to perform a whole-packet register checksum based on the multicast group addresses in the specified access list. For more information, see access-list in the FortiGate CLI Reference. You may choose to enable register checksums on entire PIM packets for compatibility with older Cisco IOS routers. Set the amount of time (in seconds) that the FortiGate unit waits 60 between sending periodic PIM join/prune messages (sparse mode) or prune messages (dense mode). The value must be identical to the message interval value set on all other PIM routers in the PIM domain. The range is from 1 to 65 535. 0 Set the maximum number of register messages per (S,G) per second that a FortiGate DR can send for each PIM entry in the routing table. The range is from 0 to 65 535, where 0 means an unlimited number of register messages per second. Enable or disable a FortiGate DR to check if an RP is accessible enable prior to sending register messages.
cisco-register-checksumgroup <access_list_name>
message-interval <interval_integer>
register-rate-limit <rate_integer>
register-rp-reachability {enable | disable}
20
Variables register-source {disable | interface | ip-address}
Description
Default
If the FortiGate unit acts as a DR, enable or disable changing the ip-address IP source address of outbound register packets to one of the following IP addresses. The IP address must be accessible to the RP so that the RP can respond to the IP address with a Register-Stop message: To retain the IP address of the FortiGate DR interface that faces the RP, select disable. To change the IP source address of a register packet to the IP address of a particular FortiGate interface, select interface. The register-source-interface attribute specifies the interface name. To change the IP source address of a register packet to a particular IP address, select ip-address. The registersource-ip attribute specifies the IP address. This keyword is available when register-source is set to interface. Enter the name of the FortiGate interface. This keyword is available when register-source is set to address. Enter the IP source address to include in the register message. Null.
register-source-interface <interface_name> register-source-ip <address_ipv4> register-suppression <suppress_integer> rp-register-keepalive <keepalive_integer>
0.0.0.0
Enter the amount of time (in seconds) that a FortiGate DR waits 60 to start sending data to an RP after receiving a Register-Stop message from the RP. The range is from 1 to 65 535. If the FortiGate unit acts as an RP, set the frequency (in 185 seconds) with which the FortiGate unit sends keepalive messages to a DR. The range is from 1 to 65 535. The two routers exchange keepalive messages to maintain a link for as long as the source continues to generate traffic. If the register-suppression attribute is modified on the RP and the rp-register-keepalive attribute has never been set explicitly, the rp-register-keepalive attribute is set to (3 x register-suppression) + 5 automatically. Enable or disable the FortiGate unit to build a Shortest Path Tree enable (SPT) for forwarding multicast packets. This keyword is available when spt-threshold is set to Null. enable. Build an SPT only for the multicast group addresses given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. This keyword is available when the IGMP version is set to 3. Enable or disable Source Specific Multicast (SSM) interactions (see RFC 3569). enable
spt-threshold {enable | disable} spt-threshold-group <access_list_name>
ssm {enable | disable}
ssm-range <access_list_name>
This keyword is available when ssm is set to enable. Null. Enable SSM only for the multicast addresses given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. By default, multicast addresses in the 232.0.0.0 to 232.255.255.255 (232/8) range are used to support SSM interactions. Applies only when pim-mode is sparse-mode. Enter an ID number for the static RP address entry. The number No default. must be an integer. Specify a static IP address for the RP. 0.0.0.0 Configure a single static RP for the multicast group addresses Null. given in the specified access list. For more information, see access-list in the FortiGate CLI Reference. If an RP for any of these group addresses is already known to the BSR, the static RP address is ignored and the RP known to the BSR is used instead.
config rp-address variables edit <rp_id> ip-address <address_ipv4> group <access_list_name>
21
Example
This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable BSR candidacy on the dmz interface: config router multicast set multicast-routing enable config interface edit dmz set pim-mode sparse-mode end end config pim-sm-global set bsr-candidate enable set bsr-priority 1 set bsr-interface dmz set bsr-hash 24 end This example shows how to enable RP candidacy on the port1 interface for the multicast group addresses given through an access list named multicast_port1: config router multicast set multicast-routing enable config interface edit port1 set pim-mode sparse-mode set rp-candidate enable set rp-candidate-group multicast_port1 set rp-candidate-priority 15 end end
22
Multicast routing examples

This chapter contains the following multicast routing configuration examples and information: Example FortiGate PIM-SM configuration using a static RP FortiGate PIM-SM debugging examples Example multicast destination NAT (DNAT) configuration Example PIM configuration that uses BSR to find the RP
Figure 2: Example FortiGate PIM-SM topology
Multicast Source 169.254.82.1 233.254.200.1
Cisco_3750 _1 router RP for group 233.234.200.x (169.254.100.1 loopback0)
FE0/23 (.250)
169.254.82.0/24 FE0/24 (.1) Cisco_3750_2 router FE0/23 (.250) 10.31.138.0/24 VLAN 138
external (.253) FortiGate-800 internal (.1)
10.31.130.0/24 VLAN 130 FE0/24 (.250) Cisco_3750_3 router FE0/23 (.130) 10.31.128.128/30
Receiver (.129) Group 233.254.200.1
23
Example FortiGate PIM-SM configuration using a static RP

The example Protocol Independent Multicast Sparse Mode (PIM-SM) configuration shown in Figure 2 has been tested for multicast interoperability using PIM-SM between Cisco 3750 switches running 12.2 and a FortiGate-800 running FortiOS v3.0 MR5 patch 1. In this configuration, the receiver receives the multicast stream when it joins the group 233.254.200.1. The configuration uses a statically configured rendezvous point (RP) which resides on the Cisco_3750_1. Using a bootstrap router (BSR) was not tested in this example. See Example PIM configuration that uses BSR to find the RP on page 36 for an example that uses a BSR.
Configuration steps
The following procedures show how to configure the multicast configuration settings for the devices in the example configuration. Cisco_3750_1 router configuration Cisco_3750_2 router configuration To configure the FortiGate-800 unit Cisco_3750_3 router configuration
Cisco_3750_1 router configuration version 12.2 ! hostname Cisco-3750-1 ! switch 1 provision ws-c3750-24ts ip subnet-zero ip routing ! ip multicast-routing distributed ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface Loopback0 ip address 169.254.100.1 255.255.255.255 ! interface FastEthernet1/0/23 switchport access vlan 182 switchport mode access ! interface FastEthernet1/0/24 switchport access vlan 172 switchport mode access ! interface Vlan172 ip address 10.31.138.1 255.255.255.0 ip pim sparse-mode ip igmp query-interval 125 ip mroute-cache distributed
24
! interface Vlan182 ip address 169.254.82.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed ! ip classless ip route 0.0.0.0 0.0.0.0 169.254.82.1 ip http server ip pim rp-address 169.254.100.1 Source-RP ! ! ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255 Cisco_3750_2 router configuration version 12.2 ! hostname Cisco-3750-2 ! switch 1 provision ws-c3750-24ts ip subnet-zero ip routing ! ip multicast-routing distributed ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface FastEthernet1/0/23 switchport access vlan 138 switchport mode access ! interface FastEthernet1/0/24 switchport access vlan 182 switchport mode access ! interface Vlan138 ip address 10.31.138.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed ! interface Vlan182 ip address 169.254.82.1 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed ! ip classless ip route 0.0.0.0 0.0.0.0 10.31.138.253 ip route 169.254.100.1 255.255.255.255 169.254.82.250 ip http server ip pim rp-address 169.254.100.1 Source-RP
25
! ! ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255 To configure the FortiGate-800 unit 1 Configure the internal and external interfaces. config system interface edit "internal" set vdom "root" set ip 10.31.130.1 255.255.255.0 set allowaccess ping https set type physical next edit "external" set vdom "root" set ip 10.31.138.253 255.255.255.0 set allowaccess ping set type physical end end 2 Add a firewall address for the RP. config firewall address edit "RP" set subnet 169.254.100.1/32 end 3 Add standard firewall policies to allow traffic to reach the RP. config firewall policy edit 1 set srcintf "internal" set dstintf "external" set srcaddr "all" set dstaddr "RP" set action accept set schedule "always" set service "ANY" next edit 2 set srcintf "external" set dstintf "internal" set srcaddr "RP" set dstaddr "all" set action accept set schedule "always" set service "ANY" end 4 Add the multicast firewall policy. config firewall multicast-policy edit 1 set dstaddr 233.254.200.0 255.255.255.0 set dstintf "internal" set srcaddr 169.254.82.0 255.255.255.0
26
set srcintf "external" end 5 Add an access list. config router access-list edit "Source-RP" config rule edit 1 set prefix 233.254.200.0 255.255.255.0 set exact-match disable next end 6 Add some static routes. config router static edit 1 set device "internal" set gateway 10.31.130.250 next edit 2 set device "external" set dst 169.254.0.0 255.255.0.0 set gateway 10.31.138.250 next 7 Configure multicast routing. config router multicast config interface edit "internal" set pim-mode sparse-mode config igmp set version 2 end next edit "external" set pim-mode sparse-mode config igmp set version 2 end next end set multicast-routing enable config pim-sm-global config rp-address edit 1 set ip-address 169.254.100.1 set group "Source-RP" next Cisco_3750_3 router configuration version 12.2 ! hostname Cisco-3750-3 ! switch 1 provision ws-c3750-24ts
27
FortiGate PIM-SM debugging examples
ip subnet-zero ip routing ! ip multicast-routing distributed ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! interface FastEthernet1/0/23 switchport access vlan 128 switchport mode access ! interface FastEthernet1/0/24 switchport access vlan 130 switchport mode access ! interface Vlan128 ip address 10.31.128.130 255.255.255.252 ip pim sparse-mode ip mroute-cache distributed ! interface Vlan130 ip address 10.31.130.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed ! ip classless ip route 0.0.0.0 0.0.0.0 10.31.130.1 ip http server ip pim rp-address 169.254.100.1 Source-RP ! ! ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255

Using the example topology shown in Figure 3 you can trace the multicast streams and states within the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug commands described in this section. The command output in this section is taken from FortiGate unit running FortiOS v3.0 MR5 patch 1 when the multicast stream is flowing correctly from source to receiver.
28
Figure 3: PIM-SM debugging topology

Multicast Source (.11) 239.255.255.1
10.166.0.0/24 internal FGT-1 (.237) external 10.130.0.0/24 internal FGT-2 (.156) RP 192.168.1.1/32 (loopback) external
10.132.0.0/24 port2 FGT-3 (.226) port3
10.167.0.0/24
Receiver (.62)
Checking that the receiver has joined the required group

From the last hop router, FGT-3, you can use the following command to check that the receiver has correctly joined the required group. FGT-3 # get router info multicast igmp groups IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62 Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query request from the FGT-3. If a receiver is active the expire time should drop to approximately 2 minutes before being refreshed.
Checking the PIM-SM neighbors

Next the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM router receives a PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3. FGT-3 # get router info multicast pim sparse-mode neighbour Neighbor Interface Uptime/Expires Ver DR
29
Address Priority/Mode 10.132.0.156
port2
01:57:12/00:01:33 v2
1 /
Checking that the PIM router can reach the RP

The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G join to request the stream. This can be checked for FGT-3 using the following command: FGT-3 # get router info multicast pim sparse-mode rp-mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 192.168.1.1 Uptime: 07:23:00
Viewing the multicast routing table (FGT-3)

The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at 192.168.1.1. You can then check the stream state entries using the following commands: FGT-3 # get router info multicast pim sparse-mode table IP Multicast Routing Table (*,*,RP) Entries: 0 (*,G) Entries: 1 (S,G) Entries: 1 (S,G,rpt) Entries: 1 FCR Entries: 0
(*,*,RP) Entries (*,G) Entries (S,G) Entries (S,G,rpt) Entries FCR This state may be reached by general joins for all groups served by a specified RP. State that maintains the RP tree for a given group. State that maintains a source-specific tree for source S and group G. State that maintains source-specific information about source s on the RP tree for G. For example, if a source is being received on the source-specific tree, it will normally have been pruned off the RP tree. The FCR state entries are for tracking the sources in the <*, G> when <S, G> is not available for any reason, the stream would typically be flowing when this state exists.
Breaking down each entry in detail: (*, 239.255.255.1) RP: 192.168.1.1 RPF nbr: 10.132.0.156 RPF idx: port2 Upstream State: JOINED Local: port3 Joined: Asserted: FCR: The RP will always be listed in a *,G entry, the RPF neighbor and interface index will also be shown. In this topology these are the same in all downstream PIM routers. The state is active so the upstream state is joined.
30
In this case FGT-3 is the last hop router so the IGMP join is received locally on port3. There is no PIM outgoing interface listed for this entry as it is used for the upstream PIM join. (10.166.0.11, 239.255.255.1) RPF nbr: 10.132.0.156 RPF idx: port2 SPT bit: 1 Upstream State: JOINED Local: Joined: Asserted: Outgoing: port3 This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the stated outgoing interface. (10.166.0.11, 239.255.255.1, rpt) RP: 192.168.1.1 RPF nbr: 10.132.0.156 RPF idx: port2 Upstream State: NOT PRUNED Local: Pruned: Outgoing: The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry on the router. This is not pruned in this case because of the topology, the RP and source are reachable over the same interface. Although not seen in this scenario, assert states may be seen when multiple PIM routers exist on the same LAN which can lead to more than one upstream router having a valid forwarding state. Assert messages are used to elect a single forwarder from the upstream devices.
Viewing the PIM next-hop table

The PIM next-hop table is also very useful for checking the various states, it can be used to quickly identify the states of multiple multicast streams FGT-3 # get router info multicast pim sparse-mode next-hop Flags: N = New, R = RP, S = Source, U = Unreachable Destination Type Nexthop Nexthop Nexthop Metric Pref Refcnt Num Addr Ifindex ___________________________________________________________________________ 10.166.0.11 ..S. 1 10.132.0.156 9 21 110 3 192.168.1.1 .R.. 1 10.132.0.156 9 111 110 2
Viewing the PIM multicast forwarding table

Also you can check the multicast forwarding table showing the ingress and egress ports of the multicast stream. FGT-3 # get router info multicast table IP Multicast Routing Table Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed Timers: Uptime/Stat Expiry Interface State: Interface (TTL threshold)
31
(10.166.0.11, 239.255.255.1), uptime 04:02:55, stat expires 00:02:25 Owner PIM-SM, Flags: TF Incoming interface: port2 Outgoing interface list: port3 (TTL threshold 1)
Viewing the kernel forwarding table

Also the kernel forwarding table can be verified, however this should give similar information to the above command: FGT-3 # diag ip multicast mroute grp=239.255.255.1 src=10.166.0.11 intf=9 flags=(0x10000000)[ ] status=resolved last_assert=2615136 bytes=1192116 pkt=14538 wrong_if=0 num_ifs=1 index(ttl)=[6(1),]

If you check the output on FGT-2 there are some small differences: FGT-2 # get router info multicast pim sparse-mode table IP Multicast Routing Table (*,*,RP) Entries: 0 (*,G) Entries: 1 (S,G) Entries: 1 (S,G,rpt) Entries: 1 FCR Entries: 0 (*, 239.255.255.1) RP: 192.168.1.1 RPF nbr: 0.0.0.0 RPF idx: None Upstream State: JOINED Local: Joined: external Asserted: FCR: The *,G entry now has a joined interface rather than local because it has received a PIM join from FGT-3 rather than a local IGMP join. (10.166.0.11, 239.255.255.1) RPF nbr: 10.130.0.237 RPF idx: internal SPT bit: 1 Upstream State: JOINED Local: Joined: external Asserted: Outgoing: external
32
The S,G entry shows that we have received a join on the external interface and the stream is being forwarded out of this interface. (10.166.0.11, 239.255.255.1, rpt) RP: 192.168.1.1 RPF nbr: 0.0.0.0 RPF idx: None Upstream State: PRUNED Local: Pruned: Outgoing: External The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the SPT for the RP to the first hop router.

FGT-1 again has some differences with regard to the PIM-SM states, there is no *,G entry because it is not in the path of a receiver and the RP. FGT-1_master # get router info multicast pim sparse-mode table IP Multicast Routing Table (*,*,RP) Entries: 0 (*,G) Entries: 0 (S,G) Entries: 1 (S,G,rpt) Entries: 1 FCR Entries: 0 Below the S,G is the SPT termination because this FortiGate unit is the first hop router, the RPF neighbor always shows as 0.0.0.0 because the source is local to this device. Both the joined and outgoing fields show as external because the PIM join and the stream is egressing on this interface. (10.166.0.11, 239.255.255.1) RPF nbr: 0.0.0.0 RPF idx: None SPT bit: 1 Upstream State: JOINED Local: Joined: external Asserted: Outgoing: external The stream has been pruned back from the RP because the end-to-end SPT is flowing, there is no requirement for the stream to be sent to the RP in this case. (10.166.0.11, 239.255.255.1, rpt) RP: 0.0.0.0 RPF nbr: 10.130.0.156 RPF idx: external Upstream State: RPT NOT JOINED Local: Pruned: Outgoing:
33
Example multicast destination NAT (DNAT) configuration

The example topology shown in Figure 4 and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units in Figure 4 have the following roles: FGT-1 is the RP for dirty networks, 233.0.0.0/8. FGT-2 performs all firewall and DNAT translations. FGT-3 is the RP for the clean networks, 239.254.0.0/16. FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM enabled router.
This example only describes the configuration of FGT-2. FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams. If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.2.2.1; FGT-3 translates the source and destination IPs to 192.168.20.1 and 239.254.1.1 If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.3.3.1; FGT-3 translates the source and destination IPs to 192.168.20.10 and 239.254.3.1
34
Figure 4: Example multicast DNAT topology

Multicast Source IP 10.166.0.11/24 Group 233.2.2.1 Group 233.3.3.1 10.166.0.0/24
FGT-1 RP for groups 233.0.0.0/8
Source IP: 10.166.0.11 Destination IP: 233.2.2.1 NAT Source IP: 192.168.20.1 Destination IP: 239.254.1.1
port6
10.125.0.0/24 Source IP: 10.166.0.11 FGT-2 (FW) Destination IP: 233.3.3.1 Loopback interface 192.168.20.1/24 NAT Static join configured for group 233.2.2.1 port7 10.126.0.0/24 Source IP: 192.168.20.10 Destination IP: 239.254.3.1
FGT-3 BSR and RP for group 239.254.0.0/16
10.127.0.0/24
Multicast Receiver IP 10.127.0.62/24 Group 239.254.1.1 Group 239.254.3.1
To configure FGT-2 for DNAT multicast 1 Add a loopback interface. In the example, the loopback interface is named loopback. config system interface edit "loopback" set vdom "root" set ip 192.168.20.1 255.255.255.0 set type loopback next end 2 Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated. config router multicast config interface edit "loopback" set pim-mode sparse-mode config join-group edit 233.2.2.1 next
35
Example PIM configuration that uses BSR to find the RP
edit 233.3.3.1 next end next 3 In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool: config firewall ippool edit "Multicast_source" set endip 192.168.20.20 set interface "port6" set startip 192.168.20.10 next end 4 Add the translation firewall policies. Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool. config firewall multicast-policy edit 1 set dnat 239.254.3.1 set dstaddr 233.3.3.1 255.255.255.255 set dstintf "loopback" set nat 192.168.20.10 set srcaddr 10.166.0.11 255.255.255.255 set srcintf "port6" next edit 2 set dnat 239.254.1.1 set dstaddr 233.2.2.1 255.255.255.255 set dstintf "loopback" set nat 192.168.20.1 set srcaddr 10.166.0.11 255.255.255.255 set srcintf "port6" next 5 Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface. This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the FortiGate unit. config firewall multicast-policy edit 3 set dstintf "port7" set srcintf "loopback" next

This example shows how to configure a multicast routing network for a network consisting of 4 FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4, see Figure 5). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.
36
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source). This example describes: Commands used in this example Configuration steps Example debug commands
Figure 5: PIM network topology using BSR to find the RP
FortiGate-500A_1 RP for 237.1.1.1 237.1.1.1 238.1.1.1
Cisco 3550 switch
Cisco 2611 router
Sender
Cisco 3640 router
FortiGate-500A_2
Receiver 1
FortiGate-500A_3 RP for others Priority 256
FortiGate-500A_4 RP for others Priority 1
Receiver 2
Commands used in this example

This example uses CLI commands for the following configuration settings: Adding a loopback interface (lo0) Defining the multicast routing Adding the NAT multicast policy
Adding a loopback interface (lo0)

Where required, the following command is used to define a loopback interface named lo0. config system interface edit "lo0" set vdom "root" set ip 1.4.50.4 255.255.255.255 set allowaccess ping https ssh snmp http telnet set type loopback next
37
end
Defining the multicast routing

In this example, the following command syntax is used to define multicast routing. The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source). config router multicast config interface edit "port6" set pim-mode sparse-mode next edit "port1" set pim-mode sparse-mode next edit "lo0" set pim-mode sparse-mode set rp-candidate enable config join-group edit 236.1.1.1 next end set rp-candidate-priority 1 next end set multicast-routing enable config pim-sm-global set bsr-allow-quick-refresh enable set bsr-candidate enable set bsr-interface "lo0" set bsr-priority 200 end end
Adding the NAT multicast policy

In this example, the incoming multicast policy does the address translation. The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group. config firewall multicast-policy edit 1 set dstintf "port6" set srcintf "lo0" next edit 2 set dnat 238.1.1.1 set dstintf "lo0" set nat 1.4.50.4 set srcintf "port1" next
38
Configuration steps
In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh firewall policies to allow any to any. In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to 237.1.1.1 In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1 Source 236.1.1.1 is injected into network as well.
The following procedures include the CLI commands for configuring each of the FortiGate units in the example configuration. To configure FortiGate-500A_1 1 Configure multicast routing. config router multicast config interface edit "port5" set pim-mode sparse-mode next edit "port4" set pim-mode sparse-mode next edit "lan" set pim-mode sparse-mode next edit "port1" set pim-mode sparse-mode next edit "lo999" set pim-mode sparse-mode next edit "lo0" set pim-mode sparse-mode set rp-candidate enable set rp-candidate-group "1" next end set multicast-routing enable config pim-sm-global set bsr-candidate enable set bsr-interface "lo0" end end 2 Add multicast firewall policies. config firewall multicast-policy edit 1 set dstintf "port5" set srcintf "port4" next edit 2 set dstintf "port4"
39
set srcintf "port5" next edit 3 next end 3 Add router access lists. config router access-list edit "1" config rule edit 1 set prefix 228.1.1.1 255.255.255.255 set exact-match enable next edit 2 set prefix 237.1.1.1 255.255.255.255 set exact-match enable next edit 3 set prefix 238.1.1.1 255.255.255.255 set exact-match enable next end next end To configure FortiGate-500A_2 1 Configure multicast routing. config router multicast config interface edit "lan" set pim-mode sparse-mode next edit "port5" set pim-mode sparse-mode next edit "port2" set pim-mode sparse-mode next edit "port4" set pim-mode sparse-mode next edit "lo_5" set pim-mode sparse-mode config join-group edit 236.1.1.1 next end next end set multicast-routing enable end 2 Add multicast firewall policies.
40
config firewall multicast-policy edit 1 set dstintf "lan" set srcintf "port5" next edit 2 set dstintf "port5" set srcintf "lan" next edit 4 set dstintf "lan" set srcintf "port2" next edit 5 set dstintf "port2" set srcintf "lan" next edit 7 set dstintf "port1" set srcintf "port2" next edit 8 set dstintf "port2" set srcintf "port1" next edit 9 set dstintf "port5" set srcintf "port2" next edit 10 set dstintf "port2" set srcintf "port5" next edit 11 set dnat 237.1.1.1 set dstintf "lo_5" set nat 5.5.5.5 set srcintf "port2" next edit 12 set dstintf "lan" set srcintf "lo_5" next edit 13 set dstintf "port1" set srcintf "lo_5" next edit 14 set dstintf "port5" set srcintf "lo_5" next edit 15 set dstintf "port2" set srcintf "lo_5"
41
next edit 16 next end To configure FortiGate-500A_3 1 Configure multicast routing. config router multicast config interface edit "port5" set pim-mode sparse-mode next edit "port6" set pim-mode sparse-mode next edit "lo0" set pim-mode sparse-mode set rp-candidate enable set rp-candidate-priority 255 next edit "lan" set pim-mode sparse-mode next end set multicast-routing enable config pim-sm-global set bsr-candidate enable set bsr-interface "lo0" end end 2 Add multicast firewall policies. config firewall multicast-policy edit 1 set dstintf "port5" set srcintf "port6" next edit 2 set dstintf "port6" set srcintf "port5" next edit 3 set dstintf "port6" set srcintf "lan" next edit 4 set dstintf "lan" set srcintf "port6" next edit 5 set dstintf "port5" set srcintf "lan" next edit 6
42
set dstintf "lan" set srcintf "port5" next end To configure FortiGate-500A_4 1 Configure multicast routing. config router multicast config interface edit "port6" set pim-mode sparse-mode next edit "lan" set pim-mode sparse-mode next edit "port1" set pim-mode sparse-mode next edit "lo0" set pim-mode sparse-mode set rp-candidate enable config join-group edit 236.1.1.1 next end set rp-candidate-priority 1 next end set multicast-routing enable config pim-sm-global set bsr-allow-quick-refresh enable set bsr-candidate enable set bsr-interface "lo0" set bsr-priority 1 end end 2 Add multicast firewall policies. config firewall policy edit 1 set srcintf "lan" set dstintf "port6" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 2 set srcintf "port6" set dstintf "lan" set srcaddr "all" set dstaddr "all" set action accept
43
set schedule "always" set service "ANY" next edit 3 set srcintf "port1" set dstintf "port6" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 4 set srcintf "port6" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 5 set srcintf "port1" set dstintf "lan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 6 set srcintf "lan" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 7 set srcintf "port1" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 8 set srcintf "port6" set dstintf "lo0" set srcaddr "all" set dstaddr "all" set action accept
44
set schedule "always" set service "ANY" next edit 9 set srcintf "port1" set dstintf "lo0" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 10 set srcintf "lan" set dstintf "lo0" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end
Example debug commands

You can use the following CLI commands to view information about and status of the multicast configuration. This section includes get and diagnose commands and some sample output. get router info multicast pim sparse-mode table 236.1.1.1 get router info multicast pim sparse-mode neighbour Neighbor Address 83.97.1.2 Interface port6 Uptime/Expires Ver DR Priority/Mode 1 / DR
02:22:01/00:01:44 v2
diagnose ip multicast mroute grp=236.1.1.1 src=19.2.1.1 intf=7 flags=(0x10000000)[ ] status=resolved last_assert=171963 bytes=1766104 pkt=1718 wrong_if=1 num_ifs=2 index(ttl)=[6(1),10(1),] grp=236.1.1.1 src=1.4.50.4 intf=10 flags=(0x10000000)[ ] status=resolved last_assert=834864 bytes=4416 pkt=138 wrong_if=0 num_ifs=2 index(ttl)=[7(1),6(1),] grp=238.1.1.1 src=1.4.50.4 intf=10 flags=(0x10000000)[ ] status=resolved last_assert=834864 bytes=1765076 pkt=1717 wrong_if=0 num_ifs=1 index(ttl)=[7(1),] get router info multicast igmp groups
45
IGMP Connected Group Membership Group Address Interface Reporter 236.1.1.1 lan 10.4.1.1 236.1.1.1 lo0 1.4.50.4
Uptime
Expires
Last
00:45:48 00:03:21 02:19:31 00:03:23
get router info multicast pim sparse-mode interface Address 10.4.1.2 1.2 83.97.1.1 .1.2 1.4.50.4 0.4 Interface VIFindex Ver/ Mode lan 2 v2/S port6 lo0 0 3 v2/S v2/S Nbr Count 0 1 0 DR DR Prior 1 10.4. 1 1 83.97 1.4.5
get router info multicast pim sparse-mode rp-mapping PIM Group-to-RP Mappings This system is the Bootstrap Router (v2) Group(s): 224.0.0.0/4 RP: 1.4.50.4 Info source: 1.4.50.4, via bootstrap, priority Uptime: 02:20:32, expires: 00:01:58 RP: 1.4.50.3 Info source: 1.4.50.3, via bootstrap, priority Uptime: 02:20:07, expires: 00:02:24 Group(s): 228.1.1.1/32 RP: 1.4.50.1 Info source: 1.4.50.1, via bootstrap, priority Uptime: 02:18:24, expires: 00:02:06 Group(s): 237.1.1.1/32 RP: 1.4.50.1 Info source: 1.4.50.1, via bootstrap, priority Uptime: 02:18:24, expires: 00:02:06 Group(s): 238.1.1.1/32 RP: 1.4.50.1 Info source: 1.4.50.1, via bootstrap, priority Uptime: 02:18:24, expires: 00:02:06 get router info multicast pim sparse-mode bsr-info
255
192
192
192
46
PIMv2 Bootstrap information This system is the Bootstrap Router (BSR) BSR address: 1.4.50.4 Uptime: 02:23:08, BSR Priority: 1, Hash mask length: 10 Next bootstrap message in 00:00:18 Role: Candidate BSR State: Elected BSR Candidate RP: 1.4.50.4(lo0) Advertisement interval 60 seconds Next Cand_RP_advertisement in 00:00:54
47
48
www.fortinet.com
www.fortinet.com

FortiGate Multicast Tech Note 01-400-96951-20090521

Uploaded by

Copyright:

Available Formats

FortiGate Multicast Tech Note 01-400-96951-20090521

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate Multicast Tech Note 01-400-96951-20090521

Uploaded by

Copyright:

Available Formats

FortiGate Multicast

FortiGate multicast forwarding......................................................... 7

Configuring FortiGate multicast routing........................................ 13

Multicast routing examples............................................................. 23

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

About FortiGate multicast

About this document

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Fortinet Tools and Documentation CD

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Register your Fortinet product

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

FortiGate multicast forwarding

FortiGate multicast forwarding

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Multicast forwarding and FortiGate units

FortiGate multicast forwarding

Multicast forwarding and FortiGate units

Multicast forwarding and RIPv2

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

FortiGate multicast forwarding

Configuring FortiGate multicast forwarding

Receiver_1 Receiver_3 Members of Multicast Group Receiver_2 Receiver_4 239.168.4.0

Sender on the Marketing network at IP address 192.168.5.18 multicasts to IP address 239.168.4.0

Configuring FortiGate multicast forwarding

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Configuring FortiGate multicast forwarding

FortiGate multicast forwarding

Adding multicast firewall policies

Command syntax pattern

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

FortiGate multicast forwarding

Configuring FortiGate multicast forwarding

Keywords and variables protocol <integer> start-port <integer> end-port <integer>

Default No default No default No default

Enabling multicast forwarding

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Configuring FortiGate multicast forwarding

FortiGate multicast forwarding

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Configuring FortiGate multicast routing

config router multicast

Configuring FortiGate multicast routing

config router multicast

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

config router multicast

Configuring FortiGate multicast routing

Command syntax pattern

FortiGate Multicast Version 4.0 Technical note 01-400-96951-20090521 http://docs.fortinet.com/ Feedback

Configuring FortiGate multicast routing

config router multicast

config router multicast

Configuring FortiGate multicast routing

config router multicast

Note: All keywords are optional.

Variables igmp-state-limit <limit_integer>

multicast-routing {enable | disable}