Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source). This example describes:

Commands used in this example
Configuration steps
Example debug commands

PIM network topology using BSR to find the RP

Commands used in this example

This example uses CLI commands for the following configuration settings:

Adding a loopback interface (lo0)
Defining the multicast routing
Adding the NAT multicast policy

Adding a loopback interface (lo0)

Where required, the following command is used to define a loopback interface named lo0.

config system interface edit lo0

set vdom root

set ip 1.4.50.4 255.255.255.255

set allowaccess ping https ssh snmp http telnet set type loopback

next end

Defining the multicast routing

In this example, the following command syntax is used to define multicast routing.

The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

config router multicast config interface

edit port6

set pim-mode sparse-mode next

edit port1

set pim-mode sparse-mode next

edit lo0

set pim-mode sparse-mode set rp-candidate enable

config join-group edit 236.1.1.1 next

end

set rp-candidate-priority 1 next

end

set multicast-routing enable config pim-sm-global

set bsr-allow-quick-refresh enable set bsr-candidate enable

set bsr-interface lo0 set bsr-priority 200

end end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3

Example multicast destination NAT (DNAT) configuration

Leave a reply

Example multicast destination NAT (DNAT) configuration

The example topology shown and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units have the following roles:

FGT-1 is the RP for dirty networks, 233.0.0.0/8.
FGT-2 performs all firewall and DNAT translations.
FGT-3 is the RP for the clean networks, 239.254.0.0/16.
FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM enabled router. This example only describes the configuration of FGT-2. FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams.
If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.2.2.1; FGT-3 translates the source and destination IPs to 192.168.20.1 and 239.254.1.1
If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.3.3.1; FGT-3 translates the source and destination IPs to 192.168.20.10 and 239.254.3.1

Example multicast DNAT topology

To configure FGT-2 for DNAT multicast

1. Add a loopback interface. In the example, the loopback interface is named loopback.

config system interface edit loopback

set vdom root

set ip 192.168.20.1 255.255.255.0 set type loopback

next end

2. Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated.

config router multicast config interface

edit loopback

set pim-mode sparse-mode config join-group

edit 233.2.2.1 next

edit 233.3.3.1 next

end

3. In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool:

config firewall ippool edit Multicast_source

set endip 192.168.20.20 set interface port6

set startip 192.168.20.10 next

end

4. Add the translation security policies.

Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool. The source and destination addresses will need to be previously created address objects. For this example, 233.3.3.1 255.255.255.255 will be represented by “example-addr_1” and 10.166.0.11

255.255.255.255 will be represented by “example-addr_2”. You will likely want to use something more intuitive from your own network.

config firewall multicast-policy edit 1

set dnat 239.254.3.1

set dstaddr example-addr_1 set dstintf loopback

set nat 192.168.20.10

set srcaddr example-addr_2 set srcintf port6

next edit 2

set dnat 239.254.1.1

set dstaddr 233.2.2.1 255.255.255.255 set dstintf loopback

set nat 192.168.20.1

set srcaddr 10.166.0.11 255.255.255.255 set srcintf port6

next end

5. Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface.

This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the

FortiGate unit.

config firewall multicast-policy edit 3

set dstintf port7

set srcintf loopback next

end

FortiGate PIM-SM debugging examples

Leave a reply

FortiGate PIM-SM debugging examples

Using the example topology shown below, you can trace the multicast streams and states within the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug commands described in this section. The command output in this section is taken from FortiGate unit when the multicast stream is flowing correctly from source to receiver.

PIM–SM debugging topology

Checking that the receiver has joined the required group

From the last hop router, FGT-3, you can use the following command to check that the receiver has correctly joined the required group.

FGT-3 # get router info multicast igmp groups

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62

Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query request from the FGT-3. If a receiver is active the expire time should drop to approximately 2 minutes before being refreshed.

Checking the PIM-SM neighbors

Next the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM router receives a

PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3.

FGT-3 # get router info multicast pim sparse-mode neighbour

Neighbor Interface Uptime/Expires Ver DR Address Priority/Mode

10.132.0.156 port2 01:57:12/00:01:33 v2 1 /

Checking that the PIM router can reach the RP

The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G join to request the stream. This can be checked for FGT-3 using the following command:

FGT-3 # get router info multicast pim sparse-mode rp-mapping

PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 192.168.1.1

Uptime: 07:23:00

Viewing the multicast routing table (FGT-3)

The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at 192.168.1.1. You can then check the stream state entries using the following commands:

FGT-3 # get router info multicast pim sparse-mode table

IP Multicast Routing Table

(*,*,RP) Entries: 0 (*,G) Entries: 1 (S,G) Entries: 1 (S,G,rpt) Entries: 1

FCR Entries: 0

Pages: 1 2 3 4 5

Multicast forwarding and FortiGate units

Leave a reply

Multicast forwarding and FortiGate units

In both transparent mode and NAT mode you can configure FortiGate units to forward multicast traffic.

For a FortiGate unit to forward multicast traffic you must add FortiGate multicast security policies. Basic multicast security policies accept any multicast packets at one FortiGate interface and forward the packets out another FortiGate interface. You can also use multicast security policies to be selective about the multicast traffic that is accepted based on source and destination address, and to perform NAT on multicast packets.

In the example shown below, a multicast source on the Marketing network with IP address 192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At the FortiGate unit, the source IP address for multicast packets originating from workstation 192.168.5.18 is translated to 192.168.18.10. In this example, the FortiGate unit is not acting as a multicast router.

Multicast forwarding and RIPv2

RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed on a network that includes RIPv2 routers, you must configure the FortiGate unit to forward multicast packets so that RIPv2 devices can share routing data through the FortiGate unit. No special FortiGate configuration is required to share RIPv2 data, you can simply use the information in the following sections to configure the FortiGate unit to forward multicast packets.

RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets through a FortiGate unit you can add standard security policies. Security policies to accept RIPv1 packets can use the ANY predefined firewall service or the RIP pre- defined firewall service.

Example multicast network including a FortiGate unit that forwards multicast packets

Configuring FortiGate multicast forwarding

You configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two steps are required:

Adding multicast security policies
Enabling multicast forwarding

This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

There is sometimes a confusion between the terms “forwarding” and “routing”. These two functions should not be taking place at the same time.

It is mentioned that multicast-forward should be enabled when the FortiGate unit is in NAT mode and that this will forward any multicast packet to all interfaces. However, this parameter should NOT be enabled when the FortiGate unit operates as a mul- ticast router (i.e. with a routing protocol enabled. It should only be enabled when there is no routing protocols activated.

Adding multicast security policies

You need to add security policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. You add multicast security policies from the CLI using the config firewall multicast-policy command. As with unicast security policies, you specify the source and destination interfaces and optionally the allowed address ranges for the source and destination addresses of the packets.

You can also use multicast security policies to configure source NAT and destination NAT for multicast packets. Keep the following in mind when configuring multicast security policies:

The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
Source and Destination interfaces are optional. If left blank, then the multicast will be forwarded to ALL interfaces.
Source and Destination addresses are optional. If left un set, then it will mean ALL addresses.
The nat keyword is optional. Use it when source address translation is needed.

Pages: 1 2 3 4 5

PIM Support

Leave a reply

PIM Support

A FortiGate unit can be configured to support PIM by going to Router > Dynamic > Multicast and enabling multicast routing. You can also enable multicast routing using the config router multicast CLI command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping information and if required, processes the multicast traffic associated with specific multicast groups.

The end-user multicast client-server applications must be installed and configured to initiate Internet connections and handle broadband content such as audio/video information.

Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user could type in a class D multicast group address, an alias for the multicast group address, or a call-conference number to initiate the session.

Rather than sending multiple copies of generated IP traffic to more than one specific IP destination address, PIM- enabled routers encapsulate the data and use the one multicast group address to forward multicast packets to multiple destinations. Because one destination address is used, a single stream of data can be sent. Client applications receive multicast data by requesting that the traffic destined for a certain multicast group address be delivered to them — end-users may use phone books, a menu of ongoing or future sessions, or some other method through a user interface to select the address of interest.

A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D addresses must be assigned in advance. Because there is no way to determine in advance if a certain multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch to a different multicast address).

To configure a PIM domain

1. If you will be using sparse mode, determine appropriate paths for multicast packets.

2. Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing protocol.

3. If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs, record the IP addresses of the PIM-enabled interfaces on those RPs.

4. Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units, use the config router multicast command to set global operating parameters.

5. Configure the PIM routers that have good connections throughout the PIM domain to be candidate BSRs.

6. If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.

7. If required, adjust the default settings of PIM-enabled interface(s).

Multicast IP addresses

Leave a reply

Multicast IP addresses

Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. The following table lists the reserved multicast address ranges and describes what they are reserved for:

Reserved Multicast address ranges

Reserved Address Range	Use Notes
224.0.0.0 to	Used for network protocols on local net-	In this range, packets are not forwarded
224.0.0.255	works. For more information, see RFC	by the router but remain on the local net-
	1700.	work. They have a Time to Live (TTL) of
		1. These addresses are used for com-
		municating routing information.
	Global addresses used for multicasting	Some of these addresses are reserved,
224.0.1.0 to	data between organizations and across	for example, 224.0.1.1 is used for Net-
238.255.255.255	the Internet. For more information, see	work Time Protocol (NTP).
	RFC 1700.
239.0.0.0 to	Limited scope addresses used for local	Routers are configured with filters to pre-
239.255.255.255	groups and organizations. For more	vent multicasts to these addresses from
	information, see RFC 2365.	leaving the local system.

Creating multicast security policies requires multicast firewall addresses. You can add multicast firewall addresses by going to Firewall Objects > Address > Addresses and selecting Create New > Multicast Address. The factory default configuration includes multicast addresses for Bonjour (224.0.0.251-224.0.0.251, EIGRP (224.0.0.10-224.0.0.100), OSPF (224.0.0.5-224.0.0.60), all_hosts (224.0.0.1-224.0.0.1), and all_routers (224.0.0.2-224.0.0.2).

Dense mode

Leave a reply

Dense mode

The packet organization used in sparse mode is also used in dense mode. When a multicast source begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers that have requested traffic for multicast group address G can access the information if needed.

To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages from downstream PIM routers to determine if receivers are actually present on directly connected network segments. The PIM routers exchange state refresh messages to update their distribution trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to build a multicast forwarding table. The information in the multicast forwarding table determines whether packets are forwarded downstream. The forwarding table is updated whenever the TIB is modified.

PIM routers receive data streams every few minutes and update their forwarding tables using the source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is stopped by PIM routers that do not have downstream receivers—PIM routers that do not manage multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic for multicast address G, the closest PIM router sends a graft message upstream to begin receiving multicast packets.

FortiGate units operating in NAT mode can also be configured as multicast routers. You can configure a FortiGate unit to be a Protocol Independent Multicast (PIM) router operating in Sparse Mode (SM) or Dense Mode (DM).

Fortinet Complaints

Leave a reply

My “Where Fortinet is Going Wrong” page will be getting updated soon. I have been receiving a large amount of emails from users of Fortinet regarding various things that are rubbing them the wrong way about our beloved device manufacturer. I am sure a lot of you will agree with a lot of what will be listed. Hopefully, someone at Fortinet is listening and can assist us with tackling these issues!