FortiGate Multicast Tech Note 01-400-96951-20090521

FortiGate Multicast

Version 4.0Technical note

Visit http://support.fortinet.com to register your FortiGate Multicast product. By registeringyou can receive product updates, technical support, and FortiGuard services.

http://support.fortinet.com

FortiGate Multicast Technical noteVersion 4.021 May 2009 01-400-96951-20090521© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

F0h

ContentsIntroduction ........................................................................................ 5

Revision history................................................................................................. 5

About FortiGate multicast................................................................................. 5

About this document......................................................................................... 5

Fortinet documentation .................................................................................... 6Fortinet Tools and Documentation CD.......................................................... 6Fortinet Knowledge Center .......................................................................... 6Comments on Fortinet technical documentation .......................................... 6

Customer service and technical support ........................................................ 6

Register your Fortinet product......................................................................... 6

FortiGate multicast forwarding......................................................... 7Multicast IP addresses...................................................................................... 7

Multicast forwarding and FortiGate units........................................................ 8Multicast forwarding and RIPv2 .................................................................... 8

Configuring FortiGate multicast forwarding ................................................... 9Adding multicast firewall policies................................................................. 10Enabling multicast forwarding ..................................................................... 11

Configuring FortiGate multicast routing........................................ 13config router multicast.................................................................................... 13

Sparse mode............................................................................................... 13Dense mode................................................................................................ 14Command syntax pattern ............................................................................ 14config router multicast ................................................................................. 16config interface............................................................................................ 17config pim-sm-global ................................................................................... 19

Multicast routing examples............................................................. 23Example FortiGate PIM-SM configuration using a static RP ....................... 24

Configuration steps ..................................................................................... 24

FortiGate PIM-SM debugging examples ........................................................ 28Checking that the receiver has joined the required group........................... 29Checking the PIM-SM neighbors ................................................................ 29Checking that the PIM router can reach the RP.......................................... 30Viewing the multicast routing table (FGT-3) ................................................ 30Viewing the PIM next-hop table .................................................................. 31Viewing the PIM multicast forwarding table ................................................ 31Viewing the kernel forwarding table ............................................................ 32Viewing the multicast routing table (FGT-2) ................................................ 32Viewing the multicast routing table (FGT-1) ................................................ 33

ortiGate Multicast Version 4.0 Technical note1-400-96951-20090521 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

Example multicast destination NAT (DNAT) configuration.......................... 34

Example PIM configuration that uses BSR to find the RP ........................... 36Commands used in this example................................................................. 37Configuration steps...................................................................................... 39Example debug commands ......................................................................... 45

FortiGate Multicast Version 4.0 Technical note4 01-400-96951-20090521

http://docs.fortinet.com/ • Feedback



Introduction Revision history

F0h

IntroductionThis chapter introduces you to FortiGate multicast support for FortiOS v3.0 and the following topics:• Revision history• About FortiGate multicast• About this document• Fortinet documentation• Customer service and technical support• Register your Fortinet product

Revision history

About FortiGate multicastYou can use multicasting (also called IP multicasting) to cause a source to send data to many receivers simultaneously, conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on. Also RIPv2 uses multicast to share routing table information.This document describes how to configure FortiGate units to forward multicast packets and how to use FortiGate units as multicast routers.

About this documentThis document provides some basic information about multicasting, describes FortiGate multicast support and contains a number of FortiGate multicast examples.This document contains the following chapters:• FortiGate multicast forwarding describes the basics of FortiGate multicast forwarding in

NAT and Transparent modes. This chapter also describes multicast firewall policies and how to enable multicast forwarding.

• Configuring FortiGate multicast routing describes using the config router multicast CLI command to configure FortiGate units to act as multicast routers.

• Multicast routing examples describes multicast routing configuration examples and also contains information about displaying multicast routing debug information

Version Description of changes01-400-96951-20090521 Update for FortiGate 4.0 including template change,

diagram updates, feature and command updates.

01-30005-0426-20070914 Initial version. The initial version contains basic information about FortiGate v3.0 MR5 multicast support plus a number of PIM routing examples.




Fortinet documentation Introduction

Fortinet documentation The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Tools and Documentation CDAll Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation see the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to [email protected].

Customer service and technical supportFortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

Register your Fortinet productYou must register your Fortinet product to receive Fortinet customer services such as product updates and technical support. You must also register your product for FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention updates and for FortiGuard Web Filtering and AntiSpam.Register your product by visiting http://support.fortinet.com and selecting Product Registration.To register, enter your contact information and the serial numbers of the Fortinet products that you or your organization have purchased. You can register multiple Fortinet products in a single session without re-entering your contact information.



http://docs.forticare.com

http://docs.forticare.com

http://kc.forticare.com





FortiGate multicast forwarding Multicast IP addresses

F0h

FortiGate multicast forwardingMulticasting (also called IP multicasting) consists of using a single multicast source to send data to many receivers. Multicasting can be used to send data to many receivers simultaneously while conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of media streams to multiple receivers and for one-way data transmission for news feeds, financial information, and so on. Also RIPv2 uses multicasting to share routing table information.A multicast network typically consists of one or more multicast sources and one or more multicast receivers. Multicast sources send multicast packets and multicast receivers receive multicast packets. Usually there are various network components in between the sources and the receivers. These network components may just forward multicast packets or they may route multicast packets. Network components that route multicast packets are multicast routers.Using a multicast router means that the source only needs to transmit a single stream of data to the multicast router. The multicast router routes the data to the receivers. The receivers can be single receivers or can be part off a multicast group. The multicast router makes decisions about how to route the packets to receivers and multicast groups. Typically the multicast router makes routing decisions based on the source and destination addresses of the multicast packets. The multicast router can also apply network address translation (NAT) to multicast packets.This chapter describes configuring FortiGate units to forward multicast traffic and contains the following sections:• Multicast IP addresses• Multicast forwarding and FortiGate units• Configuring FortiGate multicast forwardingFortiGate units operating in NAT/Route mode can also be configured as multicast routers. You can configure a FortiGate unit to be a Protocol Independent Multicast (PIM) router operating in Sparse Mode (SM) or Dense Mode (DM). Configuring a FortiGate unit for multicast routing is described in “Configuring FortiGate multicast routing” on page 13. For multicast routing configuration examples, see “Multicast routing examples” on page 23.

Multicast IP addressesMulticast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. Table 1 lists reserved multicast address ranges and describes what they are reserved for:




Multicast forwarding and FortiGate units FortiGate multicast forwarding

Multicast forwarding and FortiGate unitsIn both Transparent mode and NAT/Route mode you can configure FortiGate units to forward multicast traffic. For a FortiGate unit to forward multicast traffic you must add FortiGate multicast firewall policies. Basic multicast firewall policies accept any multicast packets at one FortiGate interface and forward the packets out another FortiGate interface. You can also use multicast firewall policies to be selective about the multicast traffic that is accepted based on source and destination address, and to perform NAT on multicast packets.In the example shown in Figure 1, a multicast source on the Marketing network with IP address 192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At the FortiGate unit, the source IP address for multicast packets originating from workstation 192.168.5.18 is translated to 192.168.18.10. In this example, the FortiGate unit is not acting as a multicast router.

Multicast forwarding and RIPv2RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed on a network that includes RIPv2 routers, you must configure the FortiGate unit to forward multicast packets so that RIPv2 devices can share routing data through the FortiGate unit. No special FortiGate configuration is required to share RIPv2 data, you can simply use the information in the following sections to configure the FortiGate unit to forward multicast packets.

Table 1: Reserved Multicast address ranges

Reserved Address Range

Use Notes

224.0.0.0 to 224.0.0.255

Used for network protocols on local networks. For more information, see RFC 1700.

In this range, packets are not forwarded by the router but remain on the local network. They have a Time to Live (TTL) of 1. These addresses are used for communicating routing information.

224.0.1.0 to 238.255.255.255

Global addresses used for multicasting data between organizations and across the Internet. For more information, see RFC 1700.

Some of these addresses are reserved, for example, 224.0.1.1 is used for Network Time Protocol (NTP).

239.0.0.0 to 239.255.255.255

Limited scope addresses used for local groups and organizations. For more information, see RFC 2365.

Routers are configured with filters to prevent multicasts to these addresses from leaving the local system.

Note: RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets through a FortiGate unit you can add standard firewall policies. Firewall policies to accept RIPv1 packets can use the ANY predefined firewall service or the RIP predefined firewall service.





FortiGate multicast forwarding Configuring FortiGate multicast forwarding

F0h

Figure 1: Example multicast network including a FortiGate unit that forwards multicast packets

Configuring FortiGate multicast forwardingYou configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two steps are required:• Adding multicast firewall policies• Enabling multicast forwarding

This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast policy enables multicast forwarding.

Receiver_2

Receiver_1 Receiver_3

Receiver_4

Members ofMulticast Group

239.168.4.0

FortiGate-800internal IP: 192.168.5.1external IP: 172.20.20.10DMZ IP: 192.168.6.1

Sender on the Marketingnetwork at IP address 192.168.5.18multicasts toIP address239.168.4.0

Multicast Forwarding EnabledSource address: 192.168.5.18Source interface: internalDestination address: 239.168.4.0Destination interface: externalNAT IP: 192.168.18.10

Marketing192.168.5.0/24

Development192.168.6.0/24

Internet

Note: For most FortiOS v3.0 maintenance releases you do not have to enable multicast forwarding in Transparent mode.




Configuring FortiGate multicast forwarding FortiGate multicast forwarding

Adding multicast firewall policiesYou need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast firewall policies. You add multicast firewall policies from the CLI using the config firewall multicast-policy command. As with unicast firewall policies, you specify the source and destination interfaces and optionally the allowed address ranges for the source and destination addresses of the packets.You can also use multicast firewall policies to configure source NAT and destination NAT for multicast packets.Keep the following in mind when configuring multicast firewall policies:• The matched forwarded (outgoing) IP multicast source IP address is changed to the

configured IP address.• Source and Destination interfaces are optional. If left blank, then the multicast will be

forwarded to ALL interfaces.• Source and Destination addresses are optional. If left un set, then it will mean ALL

addresses.• The nat keyword is optional. Use it when source address translation is needed.

Command syntax patternconfig firewall multicast-policy

edit <id_integer>set action <accept | deny>set dnat <address>set dstaddr <address_ipv4mask>set dstintf <name_str>set nat <address_ipv4>set srcaddr <address_ipv4mask>set srcintf <name_str>set protocol <integer>set start-port <integer>set end-port <integer>

end

Keywords and variables Description Defaultid_integer The unique ID number of this multicast policy. No default

action <accept | deny>

Enter the policy action. accept

dnat <address> Translate externally received multicast destination addresses to addresses that conform to your organization's internal addressing policy.

0.0.0.0

dstaddr <address_ipv4mask>

Enter the destination IP address and netmask to match against multicast NAT packets.

0.0.0.0 0.0.0.0

dstintf <name_str> Enter the destination interface name to match against multicast NAT packets.

No default.

nat <address_ipv4> Enter the IP address to substitute for the original source IP address.

0.0.0.0

srcaddr <address_ipv4mask>

Enter the source IP address and netmask to match against multicast NAT packets.

0.0.0.0 0.0.0.0

srcintf <name_str> Enter the source interface name to match against multicast NAT packets.

No default.





FortiGate multicast forwarding Configuring FortiGate multicast forwarding

F0h

ExampleThis example shows how to configure the multicast firewall policy required for the configuration shown in Figure 1 on page 9. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10config firewall multicast-policyedit 5set srcaddr 192.168.5.18 255.255.255.255set srcintf internalset destaddr 239.168.4.0 255.255.255.0set dstintf externalset nat 192.168.18.10

end

This example shows how to configure a multicast firewall policy so that the FortiGate unit forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ interface.

config firewall multicast-policyedit 1set srcintf DMZset srcaddr 10.10.10.10 255.255.255.255set dstintf Internalset dstaddr 225.1.1.1 255.255.255.255set action accept

edit 2set action deny

end

Enabling multicast forwardingMulticast forwarding is disabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable multicast forwarding. When multicast-forward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add firewall policies to actually allow multicast packets through the FortiGate. In our example, the firewall policy allows multicast packets received by the internal interface to exit to the external interface.

Enter the following CLI command to enable multicast forwarding:config system settings set multicast-forward enable

end

protocol <integer> Limit the number of protocols (services) sent out via multicast using the Fortigate.

No default

start-port <integer> The beginning of the port range used for multicast. No default

end-port <integer> The end of the port range used for multicast. No default

Keywords and variables Description Default

Note: Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast policy enables multicast forwarding.




Configuring FortiGate multicast forwarding FortiGate multicast forwarding

If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses.You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

config system settingsset multicast-ttl-notchange enable

end





Configuring FortiGate multicast routing config router multicast

F0h

Configuring FortiGate multicast routing

This chapter contains a copy of the description of the config router multicast CLI command. You use the config router multicast command to configure the FortiGate unit to act as a Protocol Independent Multicast (PIM) version 2 router.The FortiGate web-based manager you can go to Router > Dynamic > Multicast to configure basic PIM options. From the web-based manager you can configure sparse mode or dense mode operation on any FortiGate interface. For information about the web-based manager PIM options, see the web-based manager online help or the FortiGate Administration Guide.

config router multicastA FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. Multicast routing is only available in the root virtual domain. It is not supported in Transparent mode (TP mode).

A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points (RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured.

Sparse modeInitially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to which each RP sends the multicast address or addresses of the multicast group(s) that it can service. The selected BSR chooses one RP per multicast group and makes this information available to all of the PIM routers in the domain through bootstrap messages. PIM routers use the information to build packet distribution trees, which map each multicast group to a specific RP. Packet distribution trees may also contain information about the sources and receivers associated with particular multicast groups.

Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.

Note: When a FortiGate interface is configured as a multicast interface, sparse mode is enabled on it by default to ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from a specific source. If the sources of multicast traffic and their receivers are close to each other and the PIM domain contains a dense population of active receivers, you may choose to enable dense mode throughout the PIM domain instead.


http://docs.forticare.com/fgt.html



config router multicast Configuring FortiGate multicast routing

An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and pruning the information contained in distribution trees, a single stream of multicast packets (for example, a video feed) originating from the source can be forwarded to a certain RP to reach a multicast destination.Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB. To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally elected DR registers the sender with the RP that is associated with the target multicast group. The RP uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast group. The IP packets are replicated only when necessary to distribute the data to branches of the RP’s distribution tree.To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP) version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a particular multicast group. The locally elected DR receives the request and adds the host to the multicast group that is associated with the connected network segment by sending a join message towards the RP for the group. Afterward, the DR queries the hosts on the connected network segment continually to determine whether the hosts are active. When the DR no longer receives confirmation that at least one member of the multicast group is still active, the DR sends a prune message towards the RP for the group.

Dense modeThe packet organization used in sparse mode is also used in dense mode. When a multicast source begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers that have requested traffic for multicast group address G can access the information if needed. To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages from downstream PIM routers to determine if receivers are actually present on directly connected network segments. The PIM routers exchange state refresh messages to update their distribution trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to build a multicast forwarding table. The information in the multicast forwarding table determines whether packets are forwarded downstream. The forwarding table is updated whenever the TIB is modified.PIM routers receive data streams every few minutes and update their forwarding tables using the source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is stopped by PIM routers that do not have downstream receivers—PIM routers that do not manage multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic for multicast address G, the closest PIM router sends a graft message upstream to begin receiving multicast packets.

Command syntax patternconfig router multicastset igmp-state-limit <limit_integer>set multicast-routing {enable | disable}set route-limit <limit_integer>set route-threshold <threshold_integer>config interfaceedit <interface_name>set cisco-exclude-genid {enable | disable}set dr-priority <priority_integer>set hello-holdtime <holdtime_integer>set hello-interval <hello_integer>set neighbour-filter <access_list_name>






F0h

set passive {enable | disable}set pim-mode {sparse-mode | dense-mode}set propagation-delay <delay_integer>set rp-candidate {enable | disable}set rp-candidate-group <access_list_name>set rp-candidate-interval <interval_integer>set rp-candidate-priority <priority_integer>set state-refresh-interval <refresh_integer>set ttl-threshold <ttl_integer>

endconfig join-groupedit address <address_ipv4>

endconfig igmpset access-group <access_list_name>set immediate-leave-group <access_list_name>set last-member-query-count <count_integer>set last-member-query-interval <interval_integer>set query-interval <interval_integer>set query-max-response-time <time_integer>set query-timeout <timeout_integer>set router-alert-check { enable | disable }set version {1 | 2 | 3}

endendconfig pim-sm-globalset accept-register-list <access_list_name>set bsr-allow-quick-refresh {enable | disable}set bsr-candidate {enable | disable}set bsr-priority <priority_integer>set bsr-interface <interface_name>set bsr-hash <hash_integer>set cisco-crp-prefix {enable | disable}set cisco-ignore-rp-set-priority {enable | disable}set cisco-register-checksum {enable | disable}set cisco-register-checksum-group <access_list_name>set message-interval <interval_integer>set register-rate-limit <rate_integer>set register-rp-reachability {enable | disable}set register-source {disable | interface | ip-address}set register-source-interface <interface_name>set register-source-ip <address_ipv4>set register-suppression <suppress_integer>set rp-register-keepalive <keepalive_integer>set spt-threshold {enable | disable}set spt-threshold-group <access_list_name>set ssm {enable | disable}set ssm-range <access_list_name>config rp-addressedit <rp_id>set ip-address <address_ipv4>set group <access_list_name>

endend





config router multicastYou can configure a FortiGate unit to support PIM using the config router multicast CLI command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping information and if required, processes the multicast traffic associated with specific multicast groups.

Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user could type in a class D multicast group address, an alias for the multicast group address, or a call-conference number to initiate the session. Rather than sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM-enabled routers encapsulate the data and use the one multicast group address to forward multicast packets to multiple destinations. Because one destination address is used, a single stream of data can be sent. Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be delivered to them— end-users may use phone books, a menu of ongoing or future sessions, or some other method through a user interface to select the address of interest. A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D addresses must be assigned in advance. Because there is no way to determine in advance if a certain multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch to a different multicast address).

To configure a PIM domain1 If you will be using sparse mode, determine appropriate paths for multicast packets.2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing

protocol.3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs,

record the IP addresses of the PIM-enabled interfaces on those RPs.4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units,

use the config router multicast command to set global operating parameters.5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate

BSRs.6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs. 7 If required, adjust the default settings of PIM-enabled interface(s).

Note: The end-user multicast client-server applications must be installed and configured to initiate Internet connections and handle broadband content such as audio/video information.

Note: All keywords are optional.

Variables Description Defaultigmp-state-limit <limit_integer>

If memory consumption is an issue, specify a limit on the number of IGMP states (multicast memberships) that the FortiGate unit will store. The value represents the maximum combined number of IGMP states (multicast memberships) that can be handled by all interfaces. Traffic associated with excess IGMP membership reports is not delivered. The range is from 96 to 64 000.

3200

multicast-routing {enable | disable}

Enable or disable PIM routing. disable






F0h

config interfaceUse this subcommand to change interface-related PIM settings, including the mode of operation (sparse or dense). Global settings do not override interface-specific settings.

route-limit <limit_integer>

If memory consumption is an issue, set a limit on the number of multicast routes that can be added to the FortiGate routing table. The range is from 1 to 2 147 483 674.

2147483674

route-threshold <threshold_integer>

Specify the number of multicast routes that can be added to the FortiGate routing table before a warning message is displayed. The route-threshold value must be lower than the route-limit value. The range is from 1 to 2 147 483 674.

2147483674

Variables Description Default

Note: All keywords are optional.

Variables Description Defaultedit <interface_name> Enter the name of the FortiGate interface on which to enable

PIM protocols.No default.

cisco-exclude-genid {enable | disable}

This keyword applies only when pim-mode is sparse-mode.Enable or disable including a generation ID in hello messages sent to neighboring PIM routers. A GenID value may be included for compatibility with older Cisco IOS routers.

disable

dr-priority <priority_integer>

This keyword applies only when pim-mode is sparse-mode.Assign a priority to FortiGate DR candidacy. The range is from 1 to 4 294 967 294. The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected.

1

hello-holdtime <holdtime_integer>

Specify the amount of time (in seconds) that a PIM neighbor may consider the information in a hello message to be valid. The range is from 1 to 65 535. If the hello-interval attribute is modified and the hello-holdtime attribute has never been set explicitly, the hello-holdtime attribute is set to 3.5 x hello-interval automatically.

105

hello-interval <hello_integer>

Set the amount of time (in seconds) that the FortiGate unit waits between sending hello messages to neighboring PIM routers. The range is from 1 to 65 535. Changing the hello-interval attribute may update the hello-holdtime attribute automatically.

30

neighbour-filter <access_list_name>

Establish or terminate adjacency with PIM neighbors having the IP addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.

passive {enable | disable}

Enable or disable PIM communications on the interface without affecting IGMP communications.

disable

pim-mode {sparse-mode | dense-mode}

Select the PIM mode of operation:• Select sparse-mode to manage PIM packets through

distribution trees and multicast groups. • Select dense-mode to enable multicast flooding.

sparse-mode







propagation-delay <delay_integer>

This keyword is available when pim-mode is set to dense-mode.Specify the amount of time (in milliseconds) that the FortiGate unit waits to send prune-override messages. The range is from 100 to 5 000.

500

rp-candidate {enable | disable}

This keyword is available when pim-mode is set to sparse-mode.Enable or disable the FortiGate interface to offer Rendezvous Point (RP) services.

disable

rp-candidate-group <access_list_name>

This keyword is available when rp-candidate is set to enable and pim-mode is set to sparse-mode.Specify for which multicast groups RP candidacy is advertised based on the multicast group prefixes given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.

rp-candidate-interval <interval_integer>

This keyword is available when rp-candidate is set to enable and pim-mode is set to sparse-mode.Set the amount of time (in seconds) that the FortiGate unit waits between sending RP announcement messages. The range is from 1 to 16 383.

60

rp-candidate-priority <priority_integer>

This keyword is available when rp-candidate is set to enable and pim-mode is set to sparse-mode.Assign a priority to FortiGate RP candidacy. The range is from 0 to 255. The BSR compares the value to that of other RP candidates that can service the same multicast group, and the router having the highest RP priority is selected to be the RP for that multicast group. If two RP priority values are the same, the RP candidate having the highest IP address on its RP interface is selected.

192

state-refresh-interval <refresh_integer>

This keyword is available when pim-mode is set to dense-mode.This attribute is used when the FortiGate unit is connected directly to the multicast source. Set the amount of time (in seconds) that the FortiGate unit waits between sending state-refresh messages. The range is from 1 to 100. When a state-refresh message is received by a downstream router, the prune state on the downstream router is refreshed.

60

ttl-threshold <ttl_integer>

Specify the minimum Time-To-Live (TTL) value (in hops) that an outbound multicast packet must have in order to be forwarded from the interface. Specifying a high value (for example, 195) prevents PIM packets from being forwarded through the interface. The range is from 0 to 255.

1

config join-group variablesedit address <address_ipv4>

Cause the FortiGate interface to activate (IGMP join) the multicast group associated with the specified multicast group address.

No default.

config igmp variablesaccess-group <access_list_name>

Specify which multicast groups hosts on the connected network segment may join based on the multicast addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.

immediate-leave-group <access_list_name>

This keyword applies when version is set to 2 or 3.Configure a FortiGate DR to stop sending traffic and IGMP queries to receivers after receiving an IGMP version 2 group-leave message from any member of the multicast groups identified in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.










F0h

config pim-sm-globalThese global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not override interface-specific PIM settings.If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by specifying the IP address of the RP through the config rp-address subcommand. The IP address must be directly accessible to the DR. If multicast packets from more than one multicast group can pass through the same RP, you can use an access list to specify the associated multicast group addresses.

last-member-query-count <count_integer>

This keyword applies when version is set to 2 or 3.Specify the number of times that a FortiGate DR sends an IGMP query to the last member of a multicast group after receiving an IGMP version 2 group-leave message.

2

last-member-query-interval <interval_integer>

This keyword applies when version is set to 2 or 3.Set the amount of time (in milliseconds) that a FortiGate DR waits for the last member of a multicast group to respond to an IGMP query. The range is from 1000 to 25 500. If no response is received before the specified time expires and the FortiGate DR has already sent an IGMP query last-member-query-count times, the FortiGate DR removes the member from the group and sends a prune message to the associated RP.

1000

query-interval <interval_integer>

Set the amount of time (in seconds) that a FortiGate DR waits between sending IGMP queries to determine which members of a multicast group are active. The range is from 1 to 65 535.

125

query-max-response-time <time_integer>

Set the maximum amount of time (in seconds) that a FortiGate DR waits for a member of a multicast group to respond to an IGMP query. The range is from 1 to 25. If no response is received before the specified time expires, the FortiGate DR removes the member from the group.

10

query-timeout <timeout_integer>

Set the amount of time (in seconds) that must expire before a FortiGate unit begins sending IGMP queries to the multicast group that is managed through the interface. The range is from 60 to 300. A FortiGate unit begins sending IGMP queries if it does not receive regular IGMP queries from another DR through the interface.

255

router-alert-check { enable | disable }

Enable to require the Router Alert option in IGMP packets. disabled

version {1 | 2 | 3} Specify the version number of IGMP to run on the interface. The value can be 1, 2, or 3. The value must match the version used by all other PIM routers on the connected network segment.

3


Note: To send multicast packets to a particular RP using the config rp-address subcommand, the ip-address keyword is required. All other keywords are optional.

Variables Description Defaultaccept-register-list <access_list_name>

Cause a FortiGate RP to accept or deny register packets from the source IP addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.

bsr-allow-quick-refresh {enable | disable}

Enable or disable accepting bsr quick refresh packets from neighbors.

disable







bsr-candidate {enable | disable}

Enable or disable the FortiGate unit to offer its services as a Boot Strap Router (BSR) when required.

disable

bsr-priority <priority_integer>

This keyword is available when bsr-candidate is set to enable.Assign a priority to FortiGate BSR candidacy. The range is from 0 to 255. The value is compared to that of other BSR candidates and the candidate having the highest priority is selected to be the BSR. If two BSR priority values are the same, the BSR candidate having the highest IP address on its BSR interface is selected.

0

bsr-interface <interface_name>

This keyword is available when bsr-candidate is set to enable.Specify the name of the PIM-enabled interface through which the FortiGate unit may announce BSR candidacy.

Null.

bsr-hash <hash_integer> This keyword is available when bsr-candidate is set to enable.Set the length of the mask (in bits) to apply to multicast group addresses in order to derive a single Rendezvous Point (RP) for one or more multicast groups. The range is from 0 to 32. For example, a value of 24 means that the first 24 bits of the group address are significant. All multicast groups having the same seed hash belong to the same RP.

10

cisco-crp-prefix {enable | disable}

Enable or disable a FortiGate RP that has a group prefix number of 0 to communicate with a Cisco BSR. You may choose to enable the attribute if required for compatibility with older Cisco BSRs.

disable

cisco-ignore-rp-set-priority {enable | disable}

Enable or disable a FortiGate BSR to recognize Cisco RP-SET priority values when deriving a single RP for one or more multicast groups. You may choose to enable the attribute if required for compatibility with older Cisco RPs.

disable

cisco-register-checksum {enable | disable}

Enable or disable performing a register checksum on entire PIM packets. A register checksum is performed on the header only by default. You may choose to enable register checksums on the whole packet for compatibility with older Cisco IOS routers.

disable

cisco-register-checksum-group <access_list_name>

This keyword is available when cisco-register-checksum is set to enable.Identify on which PIM packets to perform a whole-packet register checksum based on the multicast group addresses in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference. You may choose to enable register checksums on entire PIM packets for compatibility with older Cisco IOS routers.

Null.

message-interval <interval_integer>

Set the amount of time (in seconds) that the FortiGate unit waits between sending periodic PIM join/prune messages (sparse mode) or prune messages (dense mode). The value must be identical to the message interval value set on all other PIM routers in the PIM domain. The range is from 1 to 65 535.

60

register-rate-limit <rate_integer>

Set the maximum number of register messages per (S,G) per second that a FortiGate DR can send for each PIM entry in the routing table. The range is from 0 to 65 535, where 0 means an unlimited number of register messages per second.

0

register-rp-reachability {enable | disable}

Enable or disable a FortiGate DR to check if an RP is accessible prior to sending register messages.

enable








F0h

register-source {disable | interface | ip-address}

If the FortiGate unit acts as a DR, enable or disable changing the IP source address of outbound register packets to one of the following IP addresses. The IP address must be accessible to the RP so that the RP can respond to the IP address with a Register-Stop message:• To retain the IP address of the FortiGate DR interface that

faces the RP, select disable.• To change the IP source address of a register packet to the

IP address of a particular FortiGate interface, select interface. The register-source-interface attribute specifies the interface name.

• To change the IP source address of a register packet to a particular IP address, select ip-address. The register-source-ip attribute specifies the IP address.

ip-address

register-source-interface <interface_name>

This keyword is available when register-source is set to interface.Enter the name of the FortiGate interface.

Null.

register-source-ip <address_ipv4>

This keyword is available when register-source is set to address.Enter the IP source address to include in the register message.

0.0.0.0

register-suppression <suppress_integer>

Enter the amount of time (in seconds) that a FortiGate DR waits to start sending data to an RP after receiving a Register-Stop message from the RP. The range is from 1 to 65 535.

60

rp-register-keepalive <keepalive_integer>

If the FortiGate unit acts as an RP, set the frequency (in seconds) with which the FortiGate unit sends keepalive messages to a DR. The range is from 1 to 65 535. The two routers exchange keepalive messages to maintain a link for as long as the source continues to generate traffic.If the register-suppression attribute is modified on the RP and the rp-register-keepalive attribute has never been set explicitly, the rp-register-keepalive attribute is set to (3 x register-suppression) + 5 automatically.

185

spt-threshold {enable | disable}

Enable or disable the FortiGate unit to build a Shortest Path Tree (SPT) for forwarding multicast packets.

enable

spt-threshold-group <access_list_name>

This keyword is available when spt-threshold is set to enable.Build an SPT only for the multicast group addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference.

Null.

ssm {enable | disable} This keyword is available when the IGMP version is set to 3. Enable or disable Source Specific Multicast (SSM) interactions (see RFC 3569).

enable

ssm-range <access_list_name>

This keyword is available when ssm is set to enable.Enable SSM only for the multicast addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference. By default, multicast addresses in the 232.0.0.0 to 232.255.255.255 (232/8) range are used to support SSM interactions.

Null.

config rp-address variables Applies only when pim-mode is sparse-mode.

edit <rp_id> Enter an ID number for the static RP address entry. The number must be an integer.

No default.

ip-address <address_ipv4> Specify a static IP address for the RP. 0.0.0.0

group <access_list_name> Configure a single static RP for the multicast group addresses given in the specified access list. For more information, see “access-list” in the FortiGate CLI Reference. If an RP for any of these group addresses is already known to the BSR, the static RP address is ignored and the RP known to the BSR is used instead.

Null.









ExampleThis example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable BSR candidacy on the dmz interface:config router multicastset multicast-routing enableconfig interfaceedit dmzset pim-mode sparse-mode

endendconfig pim-sm-globalset bsr-candidate enableset bsr-priority 1set bsr-interface dmzset bsr-hash 24

end

This example shows how to enable RP candidacy on the port1 interface for the multicast group addresses given through an access list named multicast_port1:config router multicastset multicast-routing enableconfig interfaceedit port1set pim-mode sparse-modeset rp-candidate enableset rp-candidate-group multicast_port1set rp-candidate-priority 15

endend





Multicast routing examples

F0h

Multicast routing examplesThis chapter contains the following multicast routing configuration examples and information:• Example FortiGate PIM-SM configuration using a static RP• FortiGate PIM-SM debugging examples• Example multicast destination NAT (DNAT) configuration• Example PIM configuration that uses BSR to find the RP

Figure 2: Example FortiGate PIM-SM topology

Cisco_3750 _1 routerRP for group 233.234.200.x(169.254.100.1 loopback0)

Cisco_3750_2 router

Cisco_3750_3 router

10.31.138.0/24VLAN 138

10.31.130.0/24VLAN 130

10.31.128.128/30

Receiver (.129)Group 233.254.200.1

Multicast Source169.254.82.1233.254.200.1

169.254.82.0/24

FE0/23 (.250)

FE0/23 (.250)

FE0/23 (.130)

external (.253)

internal (.1)

FortiGate-800

FE0/24 (.1)

FE0/24 (.250)




Example FortiGate PIM-SM configuration using a static RP Multicast routing examples

Example FortiGate PIM-SM configuration using a static RPThe example Protocol Independent Multicast Sparse Mode (PIM-SM) configuration shown in Figure 2 has been tested for multicast interoperability using PIM-SM between Cisco 3750 switches running 12.2 and a FortiGate-800 running FortiOS v3.0 MR5 patch 1. In this configuration, the receiver receives the multicast stream when it joins the group 233.254.200.1.The configuration uses a statically configured rendezvous point (RP) which resides on the Cisco_3750_1. Using a bootstrap router (BSR) was not tested in this example. See “Example PIM configuration that uses BSR to find the RP” on page 36 for an example that uses a BSR.

Configuration stepsThe following procedures show how to configure the multicast configuration settings for the devices in the example configuration.• Cisco_3750_1 router configuration• Cisco_3750_2 router configuration• To configure the FortiGate-800 unit• Cisco_3750_3 router configuration

Cisco_3750_1 router configurationversion 12.2!hostname Cisco-3750-1!switch 1 provision ws-c3750-24tsip subnet-zeroip routing!ip multicast-routing distributed!spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-id!interface Loopback0 ip address 169.254.100.1 255.255.255.255!interface FastEthernet1/0/23 switchport access vlan 182 switchport mode access!interface FastEthernet1/0/24 switchport access vlan 172 switchport mode access!interface Vlan172 ip address 10.31.138.1 255.255.255.0 ip pim sparse-mode ip igmp query-interval 125 ip mroute-cache distributed





Multicast routing examples Example FortiGate PIM-SM configuration using a static RP

F0h

!interface Vlan182 ip address 169.254.82.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed!ip classlessip route 0.0.0.0 0.0.0.0 169.254.82.1ip http serverip pim rp-address 169.254.100.1 Source-RP!!ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255

Cisco_3750_2 router configurationversion 12.2!hostname Cisco-3750-2!switch 1 provision ws-c3750-24tsip subnet-zeroip routing!ip multicast-routing distributed!spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-id!interface FastEthernet1/0/23 switchport access vlan 138 switchport mode access!interface FastEthernet1/0/24 switchport access vlan 182 switchport mode access!interface Vlan138 ip address 10.31.138.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed!interface Vlan182 ip address 169.254.82.1 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed!ip classlessip route 0.0.0.0 0.0.0.0 10.31.138.253ip route 169.254.100.1 255.255.255.255 169.254.82.250ip http serverip pim rp-address 169.254.100.1 Source-RP




Example FortiGate PIM-SM configuration using a static RP Multicast routing examples

!!ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255

To configure the FortiGate-800 unit1 Configure the internal and external interfaces.

config system interfaceedit "internal"set vdom "root"set ip 10.31.130.1 255.255.255.0set allowaccess ping httpsset type physical

nextedit "external"set vdom "root"set ip 10.31.138.253 255.255.255.0set allowaccess pingset type physical

endend

2 Add a firewall address for the RP.config firewall addressedit "RP"set subnet 169.254.100.1/32

end

3 Add standard firewall policies to allow traffic to reach the RP.config firewall policyedit 1set srcintf "internal"set dstintf "external"set srcaddr "all" set dstaddr "RP" set action acceptset schedule "always"set service "ANY"

nextedit 2set srcintf "external"set dstintf "internal"set srcaddr "RP" set dstaddr "all" set action acceptset schedule "always"set service "ANY"

end

4 Add the multicast firewall policy.config firewall multicast-policyedit 1set dstaddr 233.254.200.0 255.255.255.0set dstintf "internal"set srcaddr 169.254.82.0 255.255.255.0





Multicast routing examples Example FortiGate PIM-SM configuration using a static RP

F0h

set srcintf "external" end

5 Add an access list.config router access-listedit "Source-RP"config ruleedit 1set prefix 233.254.200.0 255.255.255.0set exact-match disable

nextend

6 Add some static routes.config router staticedit 1set device "internal"set gateway 10.31.130.250

nextedit 2set device "external"set dst 169.254.0.0 255.255.0.0set gateway 10.31.138.250

next

7 Configure multicast routing. config router multicastconfig interfaceedit "internal"set pim-mode sparse-modeconfig igmpset version 2

endnextedit "external"set pim-mode sparse-modeconfig igmpset version 2

endnext

endset multicast-routing enableconfig pim-sm-globalconfig rp-addressedit 1set ip-address 169.254.100.1set group "Source-RP"

next

Cisco_3750_3 router configurationversion 12.2!hostname Cisco-3750-3!switch 1 provision ws-c3750-24ts




FortiGate PIM-SM debugging examples Multicast routing examples

ip subnet-zeroip routing!ip multicast-routing distributed!spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-id!interface FastEthernet1/0/23 switchport access vlan 128 switchport mode access!interface FastEthernet1/0/24 switchport access vlan 130 switchport mode access!interface Vlan128 ip address 10.31.128.130 255.255.255.252 ip pim sparse-mode ip mroute-cache distributed!interface Vlan130 ip address 10.31.130.250 255.255.255.0 ip pim sparse-mode ip mroute-cache distributed!ip classlessip route 0.0.0.0 0.0.0.0 10.31.130.1ip http serverip pim rp-address 169.254.100.1 Source-RP!!ip access-list standard Source-RP permit 233.254.200.0 0.0.0.255

FortiGate PIM-SM debugging examplesUsing the example topology shown in Figure 3 you can trace the multicast streams and states within the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug commands described in this section. The command output in this section is taken from FortiGate unit running FortiOS v3.0 MR5 patch 1 when the multicast stream is flowing correctly from source to receiver.





Multicast routing examples FortiGate PIM-SM debugging examples

F0h

Figure 3: PIM-SM debugging topology

Checking that the receiver has joined the required groupFrom the last hop router, FGT-3, you can use the following command to check that the receiver has correctly joined the required group.

FGT-3 # get router info multicast igmp groupsIGMP Connected Group MembershipGroup Address Interface Uptime Expires Last Reporter239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62

Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query request from the FGT-3. If a receiver is active the expire time should drop to approximately 2 minutes before being refreshed.

Checking the PIM-SM neighborsNext the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM router receives a PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3.

FGT-3 # get router info multicast pim sparse-mode neighbourNeighbor Interface Uptime/Expires Ver DR

FGT-1 (.237)

10.130.0.0/24

10.132.0.0/24

10.167.0.0/24

Receiver (.62)

Multicast Source (.11)239.255.255.1

10.166.0.0/24

external

internal

FGT-2 (.156)RP 192.168.1.1/32(loopback)

external

internal

FGT-3 (.226)

port3

port2





Address Priority/Mode

10.132.0.156 port2 01:57:12/00:01:33 v2 1 /

Checking that the PIM router can reach the RPThe rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G join to request the stream. This can be checked for FGT-3 using the following command:

FGT-3 # get router info multicast pim sparse-mode rp-mappingPIM Group-to-RP MappingsGroup(s): 224.0.0.0/4, Static RP: 192.168.1.1 Uptime: 07:23:00

Viewing the multicast routing table (FGT-3)The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at 192.168.1.1. You can then check the stream state entries using the following commands:

FGT-3 # get router info multicast pim sparse-mode tableIP Multicast Routing Table

(*,*,RP) Entries: 0(*,G) Entries: 1(S,G) Entries: 1(S,G,rpt) Entries: 1FCR Entries: 0

Breaking down each entry in detail:(*, 239.255.255.1)RP: 192.168.1.1RPF nbr: 10.132.0.156RPF idx: port2Upstream State: JOINED Local: port3 Joined: Asserted:FCR:

The RP will always be listed in a *,G entry, the RPF neighbor and interface index will also be shown. In this topology these are the same in all downstream PIM routers. The state is active so the upstream state is joined.

(*,*,RP) Entries

This state may be reached by general joins for all groups served by a specified RP.

(*,G) Entries State that maintains the RP tree for a given group.

(S,G) Entries State that maintains a source-specific tree for source S and group G.

(S,G,rpt) Entries

State that maintains source-specific information about source s on the RP tree for G. For example, if a source is being received on the source-specific tree, it will normally have been pruned off the RP tree.

FCR The FCR state entries are for tracking the sources in the <*, G> when <S, G> is not available for any reason, the stream would typically be flowing when this state exists.






F0h

In this case FGT-3 is the last hop router so the IGMP join is received locally on port3. There is no PIM outgoing interface listed for this entry as it is used for the upstream PIM join.

(10.166.0.11, 239.255.255.1)RPF nbr: 10.132.0.156RPF idx: port2SPT bit: 1Upstream State: JOINED Local: Joined: Asserted: Outgoing: port3

This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the stated outgoing interface.

(10.166.0.11, 239.255.255.1, rpt)RP: 192.168.1.1RPF nbr: 10.132.0.156RPF idx: port2Upstream State: NOT PRUNED Local: Pruned: Outgoing:

The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry on the router. This is not pruned in this case because of the topology, the RP and source are reachable over the same interface.Although not seen in this scenario, assert states may be seen when multiple PIM routers exist on the same LAN which can lead to more than one upstream router having a valid forwarding state. Assert messages are used to elect a single forwarder from the upstream devices.

Viewing the PIM next-hop tableThe PIM next-hop table is also very useful for checking the various states, it can be used to quickly identify the states of multiple multicast streams

FGT-3 # get router info multicast pim sparse-mode next-hopFlags: N = New, R = RP, S = Source, U = UnreachableDestination Type Nexthop Nexthop Nexthop Metric Pref Refcnt Num Addr Ifindex ___________________________________________________________________________10.166.0.11 ..S. 1 10.132.0.156 9 21 110 3192.168.1.1 .R.. 1 10.132.0.156 9 111 110 2

Viewing the PIM multicast forwarding tableAlso you can check the multicast forwarding table showing the ingress and egress ports of the multicast stream.

FGT-3 # get router info multicast table

IP Multicast Routing TableFlags: I - Immediate Stat, T - Timed Stat, F - Forwarder installedTimers: Uptime/Stat ExpiryInterface State: Interface (TTL threshold)





(10.166.0.11, 239.255.255.1), uptime 04:02:55, stat expires 00:02:25

Owner PIM-SM, Flags: TF Incoming interface: port2 Outgoing interface list: port3 (TTL threshold 1)

Viewing the kernel forwarding tableAlso the kernel forwarding table can be verified, however this should give similar information to the above command:

FGT-3 # diag ip multicast mroutegrp=239.255.255.1 src=10.166.0.11 intf=9 flags=(0x10000000)[ ]

status=resolved last_assert=2615136 bytes=1192116 pkt=14538 wrong_if=0

num_ifs=1 index(ttl)=[6(1),]

Viewing the multicast routing table (FGT-2)If you check the output on FGT-2 there are some small differences:

FGT-2 # get router info multicast pim sparse-mode tableIP Multicast Routing Table


(*, 239.255.255.1)RP: 192.168.1.1RPF nbr: 0.0.0.0RPF idx: NoneUpstream State: JOINED Local: Joined: external Asserted:FCR:

The *,G entry now has a joined interface rather than local because it has received a PIM join from FGT-3 rather than a local IGMP join.

(10.166.0.11, 239.255.255.1)RPF nbr: 10.130.0.237RPF idx: internalSPT bit: 1Upstream State: JOINED Local: Joined: external Asserted: Outgoing: external






F0h

The S,G entry shows that we have received a join on the external interface and the stream is being forwarded out of this interface.

(10.166.0.11, 239.255.255.1, rpt)RP: 192.168.1.1RPF nbr: 0.0.0.0RPF idx: NoneUpstream State: PRUNED Local: Pruned: Outgoing: External

The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the SPT for the RP to the first hop router.

Viewing the multicast routing table (FGT-1)FGT-1 again has some differences with regard to the PIM-SM states, there is no *,G entry because it is not in the path of a receiver and the RP.

FGT-1_master # get router info multicast pim sparse-mode tableIP Multicast Routing Table


Below the S,G is the SPT termination because this FortiGate unit is the first hop router, the RPF neighbor always shows as 0.0.0.0 because the source is local to this device. Both the joined and outgoing fields show as external because the PIM join and the stream is egressing on this interface.

(10.166.0.11, 239.255.255.1)RPF nbr: 0.0.0.0RPF idx: NoneSPT bit: 1Upstream State: JOINED Local: Joined: external Asserted: Outgoing: external

The stream has been pruned back from the RP because the end-to-end SPT is flowing, there is no requirement for the stream to be sent to the RP in this case.

(10.166.0.11, 239.255.255.1, rpt)RP: 0.0.0.0RPF nbr: 10.130.0.156RPF idx: externalUpstream State: RPT NOT JOINED Local: Pruned: Outgoing:




Example multicast destination NAT (DNAT) configuration Multicast routing examples

Example multicast destination NAT (DNAT) configurationThe example topology shown in Figure 4 and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units in Figure 4 have the following roles:• FGT-1 is the RP for dirty networks, 233.0.0.0/8.• FGT-2 performs all firewall and DNAT translations.• FGT-3 is the RP for the clean networks, 239.254.0.0/16.• FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be

any PIM enabled router. This example only describes the configuration of FGT-2.FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams.• If the multicast source sends multicast packets with a source and destination IP of

10.166.0.11 and 233.2.2.1; FGT-3 translates the source and destination IPs to 192.168.20.1 and 239.254.1.1

• If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.3.3.1; FGT-3 translates the source and destination IPs to 192.168.20.10 and 239.254.3.1





Multicast routing examples Example multicast destination NAT (DNAT) configuration

F0h

Figure 4: Example multicast DNAT topology

To configure FGT-2 for DNAT multicast1 Add a loopback interface. In the example, the loopback interface is named loopback.

config system interfaceedit "loopback"set vdom "root"set ip 192.168.20.1 255.255.255.0set type loopback

nextend

2 Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated.config router multicastconfig interfaceedit "loopback"set pim-mode sparse-modeconfig join-groupedit 233.2.2.1next

FGT-1 RP for groups233.0.0.0/8

10.125.0.0/24

10.126.0.0/24

10.127.0.0/24

Multicast ReceiverIP 10.127.0.62/24Group 239.254.1.1Group 239.254.3.1

Source IP: 10.166.0.11Destination IP: 233.2.2.1


Multicast SourceIP 10.166.0.11/24Group 233.2.2.1Group 233.3.3.1

10.166.0.0/24

NATNAT

FGT-2 (FW)Loopback interface192.168.20.1/24Static join configured for group 233.2.2.1

port7

port6

FGT-3 BSR and RP for group 239.254.0.0/16






Example PIM configuration that uses BSR to find the RP Multicast routing examples

edit 233.3.3.1next

endnext

3 In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool:config firewall ippool edit "Multicast_source" set endip 192.168.20.20 set interface "port6" set startip 192.168.20.10

nextend

4 Add the translation firewall policies.Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool.config firewall multicast-policyedit 1set dnat 239.254.3.1set dstaddr 233.3.3.1 255.255.255.255set dstintf "loopback"set nat 192.168.20.10set srcaddr 10.166.0.11 255.255.255.255set srcintf "port6"

nextedit 2set dnat 239.254.1.1set dstaddr 233.2.2.1 255.255.255.255set dstintf "loopback"set nat 192.168.20.1set srcaddr 10.166.0.11 255.255.255.255set srcintf "port6"

next

5 Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface.This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the FortiGate unit.config firewall multicast-policyedit 3set dstintf "port7"set srcintf "loopback"

next

Example PIM configuration that uses BSR to find the RPThis example shows how to configure a multicast routing network for a network consisting of 4 FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4, see Figure 5). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.





Multicast routing examples Example PIM configuration that uses BSR to find the RP

F0h

The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).This example describes:• Commands used in this example• Configuration steps• Example debug commands

Figure 5: PIM network topology using BSR to find the RP

Commands used in this exampleThis example uses CLI commands for the following configuration settings:• Adding a loopback interface (lo0)• Defining the multicast routing• Adding the NAT multicast policy

Adding a loopback interface (lo0)Where required, the following command is used to define a loopback interface named lo0.config system interfaceedit "lo0"set vdom "root"set ip 1.4.50.4 255.255.255.255set allowaccess ping https ssh snmp http telnetset type loopback

next

Cisco 2611router

Receiver 1

Cisco 3550switchFortiGate-500A_1

RP for 237.1.1.1237.1.1.1238.1.1.1

FortiGate-500A_4RP for othersPriority 1

FortiGate-500A_3RP for othersPriority 256

FortiGate-500A_2

Receiver 2

SenderCisco 3640

router





end

Defining the multicast routingIn this example, the following command syntax is used to define multicast routing. The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).config router multicastconfig interfaceedit "port6"set pim-mode sparse-mode

nextedit "port1"set pim-mode sparse-mode

nextedit "lo0"set pim-mode sparse-modeset rp-candidate enableconfig join-groupedit 236.1.1.1next

endset rp-candidate-priority 1

nextend

set multicast-routing enableconfig pim-sm-globalset bsr-allow-quick-refresh enableset bsr-candidate enableset bsr-interface "lo0"set bsr-priority 200

endend

Adding the NAT multicast policyIn this example, the incoming multicast policy does the address translation. The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group.config firewall multicast-policyedit 1set dstintf "port6"set srcintf "lo0"

nextedit 2set dnat 238.1.1.1set dstintf "lo0"set nat 1.4.50.4set srcintf "port1"

next






F0h

Configuration stepsIn this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh firewall policies to allow any to any.• In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to

237.1.1.1• In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1• Source 236.1.1.1 is injected into network as well.The following procedures include the CLI commands for configuring each of the FortiGate units in the example configuration.

To configure FortiGate-500A_11 Configure multicast routing.

config router multicastconfig interfaceedit "port5"set pim-mode sparse-mode


nextedit "lan"set pim-mode sparse-mode


nextedit "lo999"set pim-mode sparse-mode

nextedit "lo0"set pim-mode sparse-modeset rp-candidate enableset rp-candidate-group "1"

nextend

set multicast-routing enableconfig pim-sm-globalset bsr-candidate enableset bsr-interface "lo0"

endend

2 Add multicast firewall policies.config firewall multicast-policyedit 1set dstintf "port5"set srcintf "port4"

nextedit 2set dstintf "port4"





set srcintf "port5"nextedit 3next

end

3 Add router access lists.config router access-listedit "1"config ruleedit 1set prefix 228.1.1.1 255.255.255.255set exact-match enable

nextedit 2set prefix 237.1.1.1 255.255.255.255set exact-match enable

nextedit 3set prefix 238.1.1.1 255.255.255.255set exact-match enable

nextend

nextend


config router multicastconfig interfaceedit "lan"set pim-mode sparse-mode




nextedit "lo_5"set pim-mode sparse-modeconfig join-groupedit 236.1.1.1next

endnext

endset multicast-routing enable

end

2 Add multicast firewall policies.






F0h

config firewall multicast-policyedit 1set dstintf "lan"set srcintf "port5"

nextedit 2set dstintf "port5"set srcintf "lan"

nextedit 4set dstintf "lan"set srcintf "port2"


nextedit 7set dstintf "port1"set srcintf "port2"

nextedit 8set dstintf "port2"set srcintf "port1"nextedit 9set dstintf "port5"set srcintf "port2"


nextedit 11set dnat 237.1.1.1set dstintf "lo_5"set nat 5.5.5.5set srcintf "port2"

nextedit 12set dstintf "lan"set srcintf "lo_5"

nextedit 13set dstintf "port1"set srcintf "lo_5"







nextedit 16next

end




nextedit "lo0"set pim-mode sparse-modeset rp-candidate enableset rp-candidate-priority 255


nextend

set multicast-routing enableconfig pim-sm-globalset bsr-candidate enableset bsr-interface "lo0"

endend

2 Add multicast firewall policies.config firewall multicast-policyedit 1set dstintf "port5"set srcintf "port6"



nextedit 4set dstintf "lan"set srcintf "port6"


nextedit 6






F0h

set dstintf "lan"set srcintf "port5"

nextend





nextedit "lo0"set pim-mode sparse-modeset rp-candidate enableconfig join-groupedit 236.1.1.1next

endset rp-candidate-priority 1

nextend

set multicast-routing enableconfig pim-sm-globalset bsr-allow-quick-refresh enableset bsr-candidate enableset bsr-interface "lo0"set bsr-priority 1

endend

2 Add multicast firewall policies.config firewall policyedit 1set srcintf "lan"set dstintf "port6"set srcaddr "all" set dstaddr "all" set action acceptset schedule "always"set service "ANY"

nextedit 2set srcintf "port6"set dstintf "lan"set srcaddr "all" set dstaddr "all" set action accept





set schedule "always"set service "ANY"

nextedit 3set srcintf "port1"set dstintf "port6"set srcaddr "all" set dstaddr "all" set action acceptset schedule "always"set service "ANY"


nextedit 5set srcintf "port1"set dstintf "lan"set srcaddr "all" set dstaddr "all" set action acceptset schedule "always"set service "ANY"

nextedit 6set srcintf "lan"set dstintf "port1"set srcaddr "all" set dstaddr "all" set action acceptset schedule "always"set service "ANY"


nextedit 8set srcintf "port6"set dstintf "lo0"set srcaddr "all" set dstaddr "all" set action accept






F0h

set schedule "always"set service "ANY"

nextedit 9set srcintf "port1"set dstintf "lo0"set srcaddr "all" set dstaddr "all" set action acceptset schedule "always"set service "ANY"

nextedit 10set srcintf "lan"set dstintf "lo0"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ANY"

nextend

Example debug commandsYou can use the following CLI commands to view information about and status of the multicast configuration. This section includes get and diagnose commands and some sample output.

get router info multicast pim sparse-mode table 236.1.1.1

get router info multicast pim sparse-mode neighbour

Neighbor Interface Uptime/Expires Ver DRAddress Priority/Mode83.97.1.2 port6 02:22:01/00:01:44 v2 1 / DR

diagnose ip multicast mroute

grp=236.1.1.1 src=19.2.1.1 intf=7 flags=(0x10000000)[ ] status=resolved

last_assert=171963 bytes=1766104 pkt=1718 wrong_if=1 num_ifs=2index(ttl)=[6(1),10(1),]


last_assert=834864 bytes=4416 pkt=138 wrong_if=0 num_ifs=2index(ttl)=[7(1),6(1),]


last_assert=834864 bytes=1765076 pkt=1717 wrong_if=0 num_ifs=1index(ttl)=[7(1),]

get router info multicast igmp groups





IGMP Connected Group MembershipGroup Address Interface Uptime Expires Last Reporter236.1.1.1 lan 00:45:48 00:03:21 10.4.1.1236.1.1.1 lo0 02:19:31 00:03:23 1.4.50.4

get router info multicast pim sparse-mode interface

Address Interface VIFindex Ver/ Nbr DR DRMode Count Prior

10.4.1.2 lan 2 v2/S 0 1 10.4.1.283.97.1.1 port6 0 v2/S 1 1 83.97.1.21.4.50.4 lo0 3 v2/S 0 1 1.4.50.4

get router info multicast pim sparse-mode rp-mapping

PIM Group-to-RP MappingsThis system is the Bootstrap Router (v2)Group(s): 224.0.0.0/4

RP: 1.4.50.4Info source: 1.4.50.4, via bootstrap, priority 1

Uptime: 02:20:32, expires: 00:01:58RP: 1.4.50.3

Info source: 1.4.50.3, via bootstrap, priority 255Uptime: 02:20:07, expires: 00:02:24

Group(s): 228.1.1.1/32RP: 1.4.50.1


Group(s): 237.1.1.1/32RP: 1.4.50.1


Group(s): 238.1.1.1/32RP: 1.4.50.1


get router info multicast pim sparse-mode bsr-info






F0h

PIMv2 Bootstrap informationThis system is the Bootstrap Router (BSR)

BSR address: 1.4.50.4Uptime: 02:23:08, BSR Priority: 1, Hash mask length: 10Next bootstrap message in 00:00:18Role: Candidate BSRState: Elected BSR

Candidate RP: 1.4.50.4(lo0)Advertisement interval 60 secondsNext Cand_RP_advertisement in 00:00:54









www.fortinet.com

www.fortinet.com

Documents

FortiGate Multicast Tech Note 01-400-96951-20090521