Multicast addresses

Multicast addresses

Multicast addressing defines a specific range of address values set aside for them. Therefore all IPv4 multicast addresses should be between 224.0.0.0 and 239.255.255.255.

More information on the concepts behind Multicast addressing can be found in the Multicast Forwarding section.

Multicast IP range

This type of address will allow multicast broadcasts to a specified range of addresses.

Creating a multicast IP range address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New.

l If you use the down arrow next to Create New, select Address.

  1. Choose the Category, Multicast Address
  2. Input a Name for the address object.
  3. Select the Type,Multicast IP Range from the drop-down menu.
  4. Enter the value for the Multicast IP Range
  5. Select the Interface from the drop-down menu.
  6. Enable the Show in Address List function
  7. Input any additional information in the Comments
  8. Press

Example: Multicast IP range address

The company has a large high tech campus that has monitors in many of its meeting rooms. It is common practice for company wide notifications of importance to be done in a streaming video format with the CEO of the company addressing everyone at once.

The video is High Definition quality so takes up a lot of bandwidth. To minimize the impact on the network the network administrators have set things up to allow the use of multicasting to the monitors for these notifications. Now it has to be set up on the FortiGate firewall to allow the traffic.

l The range being used for the multicast is 239.5.5.10 to 239.5.5.200 l The interface on this FortiGate firewall will be on port 9

  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information
Category Multicast Address
Name Meeting_Room_Displays
Type Multicast IP Range
Multicast IP Range 239.5.5.10-239.5.5.200
Interface port9
Show in Address List <enable>
Comments <Input into this field is optional>
  1. Select
  2. Enter the following CLI command:

config firewall multicast-address edit “meeting_room_display” set type multicastrange set associated-interface “port9” set start-ip 239.5.5.10 set end-ip 239.5.5.200 set visibility enable

next

end

To verify that the address range was added correctly:

  1. Go to Policy & Objects> Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall multicast-address

 

edit <the name of the address that you wish to verify> Show full-configuration

Broadcast subnet

This type of address will allow multicast broadcast to every node on a subnet.

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In theCategory field, choseMulticast Address.
  4. Input a Name for the address object.
  5. In the Type field, select Broadcast Subnetfrom the drop down menu.
  6. In the Broadcast Subnet field enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x.(Remember, it needs to be within the appropriate IP range 224.0.0.0 to 239.255.255.255)
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments
  10. Press OK.

Example

Field Value
Category Broadcast Subnet
Name Corpnet-B
Type Broadcast Subnet
Broadcast Subnet 224.5.5.0/24
Interface any
Show in Address List [on]
Comments Corporate Network devices – Broadcast Group B

Multicast IP addresses

Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. The following table lists the reserved multicast address ranges and describes what they are reserved for:

Reserved Multicast address ranges

Reserved

Address Range

Use Notes
224.0.0.0 to

224.0.0.255

Used for network protocols on local networks. For more information, see RFC 1700. In this range, packets are not forwarded by the router but remain on the local network. They have a Time to Live (TTL) of 1. These addresses are used for communicating routing information.
224.0.1.0 to

238.255.255.255

Global addresses used for multicasting data between organizations and across the Internet. For more information, see RFC 1700. Some of these addresses are reserved, for example, 224.0.1.1 is used for Network Time Protocol (NTP).
239.0.0.0 to

239.255.255.255

Limited scope addresses used for local groups and organizations. For more information, see RFC 2365. Routers are configured with filters to prevent multicasts to these addresses from leaving the local system.

Creating multicast security policies requires multicast firewall addresses. You can add multicast firewall addresses by going to Firewall Objects > Address > Addresses and selecting Create New > Multicast

Address. The factory default configuration includes multicast addresses for Bonjour (224.0.0.251-224.0.0.251, EIGRP (224.0.0.10-224.0.0.100), OSPF (224.0.0.5-224.0.0.60), all_hosts (224.0.0.1-224.0.0.1), and all_routers (224.0.0.2-224.0.0.2).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.