Technical Note

TECHNICAL NOTE
FortiGate Multicast
FortiOS v3.0 MR5
www.fortinet.com
FortiGate Multicast Technical Note
FortiOS v3.0 MR5
14 September 2007
01-30005-0426-20070914
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ........................................................................................ 5
Revision history................................................................................................. 5
About FortiGate multicast................................................................................. 5
About this document......................................................................................... 5
Fortinet documentation .................................................................................... 6
Fortinet Tools and Documentation CD .......................................................... 6
Fortinet Knowledge Center .......................................................................... 6
Comments on Fortinet technical documentation .......................................... 6
Customer service and technical support ........................................................ 6
Register your Fortinet product......................................................................... 6
FortiGate multicast forwarding......................................................... 7

Multicast IP addresses ...................................................................................... 8
Multicast forwarding and FortiGate units........................................................ 8
Multicast forwarding and RIPv2 .................................................................... 8
Configuring FortiGate multicast forwarding ................................................. 10
Adding multicast firewall policies................................................................. 10
Enabling multicast forwarding ..................................................................... 12
Configuring FortiGate multicast routing........................................ 13

config router multicast.................................................................................... 13
Sparse mode ............................................................................................... 13
Dense mode................................................................................................ 14
Command syntax pattern ............................................................................ 14
config router multicast ................................................................................. 16
config interface ............................................................................................ 17
config pim-sm-global ................................................................................... 19
Multicast routing examples............................................................. 23

Example FortiGate PIM-SM configuration using a static RP ....................... 24
Configuration steps ..................................................................................... 24
FortiGate PIM-SM debugging examples ........................................................ 29
Checking that the receiver has joined the required group........................... 29
Checking the PIM-SM neighbors ................................................................ 30
Checking that the PIM router can reach the RP.......................................... 30
Viewing the multicast routing table (FGT-3) ................................................ 30
Viewing the PIM next-hop table .................................................................. 31
Viewing the PIM multicast forwarding table ................................................ 32
Viewing the kernel forwarding table ............................................................ 32
FortiGate Multicast FortiOS v3.0 MR5 Technical Note

01-30005-0426-20070914 3
Contents
Example multicast destination NAT (DNAT) configuration ......................... 34

Example PIM configuration that uses BSR to find the RP........................... 37
Commands used in this example ................................................................ 37
Configuration steps ..................................................................................... 39
Example debug commands ........................................................................ 46

4 01-30005-0426-20070914
Introduction Revision history
Introduction
This chapter introduces you to FortiGate multicast support for FortiOS v3.0 and
the following topics:
• Revision history
• About FortiGate multicast
• About this document
• Fortinet documentation
• Customer service and technical support
• Register your Fortinet product
Revision history
Version Description of changes

01-30005-0426-20070914 Initial version. The initial version contains basic information
about FortiGate v3.0 MR5 multicast support plus a number
of PIM routing examples.
About FortiGate multicast

You can use multicasting (also called IP multicasting) to cause a source to send
data to many receivers simultaneously, conserving bandwidth and reducing
network traffic. Multicasting can be used for one-way delivery of media streams to
multiple receivers and for one-way data transmission for news feeds, financial
information, and so on. Also RIPv2 uses multicast to share routing table
information.
This document describes how to configure FortiGate units to forward multicast
packets and how to use FortiGate units as multicast routers.
About this document

This document provides some basic information about multicasting, describes
FortiGate multicast support and contains a number of FortiGate multicast
examples.
This document contains the following chapters:
• FortiGate multicast forwarding describes the basics of FortiGate multicast
forwarding in NAT and Transparent modes. This chapter also describes
multicast firewall policies and how to enable multicast forwarding.
• Configuring FortiGate multicast routing describes using the config router
multicast CLI command to configure FortiGate units to act as multicast
routers.

01-30005-0426-20070914 5
Fortinet documentation Introduction
• Multicast routing examples describes multicast routing configuration examples

and also contains information about displaying multicast routing debug
information
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
Fortinet Tools and Documentation CD

All Fortinet documentation is available from the Fortinet Tools and Documentation
CD shipped with your Fortinet product. The documents on this CD are current at
shipping time. For up-to-date versions of Fortinet documentation see the Fortinet
Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to
articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at
http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your
network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
Register your Fortinet product

You must register your Fortinet product to receive Fortinet customer services such
as product updates and technical support. You must also register your product for
FortiGuard services such as FortiGuard Antivirus and Intrusion Prevention
updates and for FortiGuard Web Filtering and AntiSpam.
Register your product by visiting http://support.fortinet.com and selecting Product
Registration.
To register, enter your contact information and the serial numbers of the Fortinet
products that you or your organization have purchased. You can register multiple
Fortinet products in a single session without re-entering your contact information.

6 01-30005-0426-20070914
FortiGate multicast forwarding
FortiGate multicast forwarding

Multicasting (also called IP multicasting) consists of using a single multicast source to send data to
many receivers. Multicasting can be used to send data to many receivers simultaneously while
conserving bandwidth and reducing network traffic. Multicasting can be used for one-way delivery of
media streams to multiple receivers and for one-way data transmission for news feeds, financial
information, and so on. Also RIPv2 uses multicasting to share routing table information.
A multicast network typically consists of one or more multicast sources and one our more multicast
receivers. Multicast sources send multicast packets and multicast receivers receive multicast packets.
Usually there are various network components in between the sources and the receivers. These
network components may just forward multicast packets or they may route multicast packets. Network
components that route multicast packets are multicast routers.
Using a multicast router means that the source only needs to transmit a single stream of data to the
multicast router. The multicast router routes the data to the receivers. The receivers can be single
receivers or can be part off a multicast group. The multicast router makes decisions about how to route
the packets to receivers and multicast groups. Typically the multicast router makes routing decisions
based on the source and destination addresses of the multicast packets. The multicast router can also
apply network address translation (NAT) to multicast packets.
This chapter describes configuring FortiGate units to forward multicast traffic and contains the
following sections:
• Multicast IP addresses
• Multicast forwarding and FortiGate units
• Configuring FortiGate multicast forwarding
FortiGate units operating in NAT/Route mode can also be configured as multicast routers. You can
configure a FortiGate unit to be a Protocol Independent Multicast (PIM) router operating in Sparse
Mode (SM) or Dense Mode (DM). Configuring a FortiGate unit for multicast routing is described in
“Configuring FortiGate multicast routing” on page 13. For multicast routing configuration examples, see
“Multicast routing examples” on page 23.

01-30005-0426-20070914 7
Multicast IP addresses FortiGate multicast forwarding
Multicast IP addresses
Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is
reserved for multicast groups. The multicast address range applies to multicast groups, not to the
originators of multicast packets. Table 1 lists reserved multicast address ranges and describes what
they are reserved for:
Table 1: Reserved Multicast address ranges
Reserved Address Range Use Notes

224.0.0.0 to 224.0.0.255 Used for network protocols on local In this range, packets are not forwarded
networks. For more information, see by the router but remain on the local
RFC 1700. network. They have a Time to Live (TTL)
of 1. These addresses are used for
communicating routing information.
224.0.1.0 to 238.255.255.255 Global addresses used for Some of these addresses are reserved,
multicasting data between for example, 224.0.1.1 is used for
organizations and across the Network Time Protocol (NTP).
Internet. For more information, see
RFC 1700.
239.0.0.0 to 239.255.255.255 Limited scope addresses used for Routers are configured with filters to
local groups and organizations. For prevent multicasts to these addresses
more information, see RFC 2365. from leaving the local system.
Multicast forwarding and FortiGate units

In both Transparent mode and NAT/Route mode you can configure FortiGate units to forward multicast
traffic.
For a FortiGate unit to forward multicast traffic you must add FortiGate multicast firewall policies. Basic
multicast firewall policies accept any multicast packets at one FortiGate interface and forward the
packets out another FortiGate interface. You can also use multicast firewall policies to be selective
about the multicast traffic that is accepted based on source and destination address, and to perform
NAT on multicast packets.
In the example shown in Figure 1, a multicast source on the Marketing network with IP address
192.168.5.18 sends multicast packets to the members of network 239.168.4.0. At the FortiGate unit,
the source IP address for multicast packets originating from workstation 192.168.5.18 is translated to
192.168.18.10. In this example, the FortiGate unit is not acting as a multicast router.
Multicast forwarding and RIPv2

RIPv2 uses multicast to share routing table information. If your FortiGate unit is installed on a network
that includes RIPv2 routers, you must configure the FortiGate unit to forward multicast packets so that
RIPv2 devices can share routing data through the FortiGate unit. No special FortiGate configuration is
required to share RIPv2 data, you can simply use the information in the following sections to configure
the FortiGate unit to forward multicast packets.
Note: RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets through a FortiGate unit
you can add standard firewall policies. Firewall policies to accept RIPv1 packets can use the ANY predefined
firewall service or the RIP predefined firewall service.

8 01-30005-0426-20070914
FortiGate multicast forwarding Multicast forwarding and FortiGate units
Figure 1: Example multicast network including a FortiGate unit that forwards multicast packets
Members of Receiver_1 Receiver_3

Multicast Group Receiver_2 Receiver_4
239.168.4.0
Internet
FortiGate-800
internal IP: 192.168.5.1
external IP: 172.20.20.10
DMZ IP: 192.168.6.1 Multicast Forwarding Enabled
Source address: 192.168.5.18
Source interface: internal
Marketing Destination address: 239.168.4.0
192.168.5.0/24 Destination interface: external
NAT IP: 192.168.18.10
Sender on the Marketing

network at IP address
192.168.5.18 Development
multicasts to 192.168.6.0/24
IP address
239.168.4.0

01-30005-0426-20070914 9
Configuring FortiGate multicast forwarding FortiGate multicast forwarding
Configuring FortiGate multicast forwarding

You configure FortiGate multicast forwarding from the Command Line Interface (CLI). Two steps are
required:
• Adding multicast firewall policies
• Enabling multicast forwarding
This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit
is operating in Transparent mode, adding a multicast policy enables multicast forwarding.
Note: For most FortiOS v3.0 maintenance releases you do not have to enable multicast forwarding in Transparent
mode.
Adding multicast firewall policies

You need to add firewall policies to allow packets to pass from one interface to another. Multicast
packets require multicast firewall policies. You add multicast firewall policies from the CLI using the
config firewall multicast-policy command. As with unicast firewall policies, you specify the
source and destination interfaces and optionally the allowed address ranges for the source and
destination addresses of the packets.
You can also use multicast firewall policies to configure source NAT and destination NAT for multicast
packets.
Keep the following in mind when configuring multicast firewall policies:
• The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP
address.
• Source and Destination interfaces are optional. If left blank, then the multicast will be forwarded to
ALL interfaces.
• Source and Destination addresses are optional. If left un set, then it will mean ALL addresses.
• The nat keyword is optional. Use it when source address translation is needed.
Command syntax pattern

config firewall multicast-policy
edit <id_integer>
set action <accept | deny>
set dnat <address>
set dstaddr <address_ipv4mask>
set dstintf <name_str>
set nat <address_ipv4>
set srcaddr <address_ipv4mask>
set srcintf <name_str>
set protocol <integer>
set start-port <integer>
set end-port <integer>
end
Keywords and variables Description Default
id_integer The unique ID number of this multicast policy. No default
action <accept | deny> Enter the policy action. accept
dnat <address> Translate externally received multicast destination addresses to 0.0.0.0
addresses that conform to your organization's internal addressing
policy.

10 01-30005-0426-20070914
FortiGate multicast forwarding Configuring FortiGate multicast forwarding
Keywords and variables Description Default

dstaddr Enter the destination IP address and netmask to match against 0.0.0.0
<address_ipv4mask> multicast NAT packets. 0.0.0.0
dstintf <name_str> Enter the destination interface name to match against multicast No default.
NAT packets.
nat <address_ipv4> Enter the IP address to substitute for the original source IP 0.0.0.0
address.
srcaddr Enter the source IP address and netmask to match against 0.0.0.0
<address_ipv4mask> multicast NAT packets. 0.0.0.0
srcintf <name_str> Enter the source interface name to match against multicast NAT No default.
packets.
protocol <integer> Limit the number of protocols (services) sent out via multicast No default
using the Fortigate.
start-port <integer> The beginning of the port range used for multicast. No default
end-port <integer> The end of the port range used for multicast. No default
Example
This example shows how to configure the multicast firewall policy required for the configuration shown
in Figure 1 on page 9. This policy accepts multicast packets that are sent from a PC with IP address
192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to
enter the internal interface and then exit the external interface. When the packets leave the external
interface their source address is translated to 192.168.18.10
edit 5
set srcaddr 192.168.5.18 255.255.255.255
set srcintf internal
set destaddr 239.168.4.0 255.255.255.0
set dstintf external
set nat 192.168.18.10
end
This example shows how to configure a multicast firewall policy so that the FortiGate unit forwards
multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1.
This Server is on the network connected to the FortiGate DMZ interface.
edit 1
set srcintf DMZ
set srcaddr 10.10.10.10 255.255.255.255
set dstintf Internal
set dstaddr 225.1.1.1 255.255.255.255
set action accept
edit 2
set action deny
end

01-30005-0426-20070914 11
Configuring FortiGate multicast forwarding FortiGate multicast forwarding
Enabling multicast forwarding

Multicast forwarding is disabled by default. In NAT mode you must use the multicast-forward
keyword of the system settings CLI command to enable multicast forwarding. When multicast-
forward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or
higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header
will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add
firewall policies to actually allow multicast packets through the FortiGate. In our example, the firewall
policy allows multicast packets received by the internal interface to exit to the external interface.
Note: Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your
FortiGate unit is operating in Transparent mode, adding a multicast policy enables multicast forwarding.
Enter the following CLI command to enable multicast forwarding:

config system settings
set multicast-forward enable
end
If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or
destination addresses.
You can also use the multicast-ttl-notchange keyword of the system settings command so
that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should
use this option only if packets are expiring before reaching the multicast router.
config system settings
set multicast-ttl-notchange enable
end

12 01-30005-0426-20070914
Configuring FortiGate multicast routing config router multicast
Configuring FortiGate multicast

routing
This chapter contains a copy of the description of the config router multicast CLI command.
You use the config router multicast command to configure the FortiGate unit to act as a
Protocol Independent Multicast (PIM) version 2 router.
The FortiGate web-based manager you can go to Router > Dynamic > Multicast to configure basic
PIM options. From the web-based manager you can configure sparse mode or dense mode operation
on any FortiGate interface. For information about the web-based manager PIM options, see the
web-based manager online help or the FortiGate Administration Guide.
config router multicast

A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root
virtual domain. FortiGate units support PIM sparse mode (RFC 4601) and PIM dense mode (RFC
3973) and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. Multicast routing is only available in the root virtual domain. It is not supported
in Transparent mode (TP mode).
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in
between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode
must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense
mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, two PIM routers, or is
connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast)
packets or decapsulated data (IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at
least one Boot Strap Router (BSR), and if sparse mode is enabled, a number of Rendezvous Points
(RPs) and Designated Routers (DRs). When PIM is enabled on a FortiGate unit, the FortiGate unit can
perform any of these functions at any time as configured.
Sparse mode
Initially, all candidate BSRs in a PIM domain exchange bootstrap messages to select one BSR to
which each RP sends the multicast address or addresses of the multicast group(s) that it can service.
The selected BSR chooses one RP per multicast group and makes this information available to all of
the PIM routers in the domain through bootstrap messages. PIM routers use the information to build
packet distribution trees, which map each multicast group to a specific RP. Packet distribution trees
may also contain information about the sources and receivers associated with particular multicast
groups.
Note: When a FortiGate interface is configured as a multicast interface, sparse mode is enabled on it by default to
ensure that distribution trees are not built unless at least one downstream receiver requests multicast traffic from
a specific source. If the sources of multicast traffic and their receivers are close to each other and the PIM domain
contains a dense population of active receivers, you may choose to enable dense mode throughout the PIM
domain instead.

01-30005-0426-20070914 13
config router multicast Configuring FortiGate multicast routing
An RP represents the root of a non-source-specific distribution tree to a multicast group. By joining and
pruning the information contained in distribution trees, a single stream of multicast packets (for
example, a video feed) originating from the source can be forwarded to a certain RP to reach a
multicast destination.
Each PIM router maintains a Multicast Routing Information Base (MRIB) that determines to which
neighboring PIM router join and prune messages are sent. An MRIB contains reverse-path information
that reveals the path of a multicast packet from its source to the PIM router that maintains the MRIB.
To send multicast traffic, a server application sends IP traffic to a multicast group address. The locally
elected DR registers the sender with the RP that is associated with the target multicast group. The RP
uses its MRIB to forward a single stream of IP packets from the source to the members of the multicast
group. The IP packets are replicated only when necessary to distribute the data to branches of the
RP’s distribution tree.
To receive multicast traffic, a client application can use Internet Group Management Protocol (IGMP)
version 1 (RFC 1112), 2 (RFC 2236), or 3 (RFC 3376) control messages to request the traffic for a
particular multicast group. The locally elected DR receives the request and adds the host to the
multicast group that is associated with the connected network segment by sending a join message
towards the RP for the group. Afterward, the DR queries the hosts on the connected network segment
continually to determine whether the hosts are active. When the DR no longer receives confirmation
that at least one member of the multicast group is still active, the DR sends a prune message towards
the RP for the group.
Dense mode
The packet organization used in sparse mode is also used in dense mode. When a multicast source
begins to send IP traffic and dense mode is enabled, the closest PIM router registers the IP traffic from
the multicast source (S) and forwards multicast packets to the multicast group address (G). All PIM
routers initially broadcast the multicast packets throughout the PIM domain to ensure that all receivers
that have requested traffic for multicast group address G can access the information if needed.
To forward multicast packets to specific destinations afterward, the PIM routers build distribution trees
based on the information in multicast packets. Upstream PIM routers depend on prune/graft messages
from downstream PIM routers to determine if receivers are actually present on directly connected
network segments. The PIM routers exchange state refresh messages to update their distribution
trees. FortiGate units store this state information in a Tree Information Base (TIB), which is used to
build a multicast forwarding table. The information in the multicast forwarding table determines whether
packets are forwarded downstream. The forwarding table is updated whenever the TIB is modified.
PIM routers receive data streams every few minutes and update their forwarding tables using the
source (S) and multicast group (G) information in the data stream. Superfluous multicast traffic is
stopped by PIM routers that do not have downstream receivers—PIM routers that do not manage
multicast groups send prune messages to the upstream PIM routers. When a receiver requests traffic
for multicast address G, the closest PIM router sends a graft message upstream to begin receiving
multicast packets.
Command syntax pattern

set igmp-state-limit <limit_integer>
set multicast-routing {enable | disable}
set route-limit <limit_integer>
set route-threshold <threshold_integer>
config interface
edit <interface_name>
set cisco-exclude-genid {enable | disable}
set dr-priority <priority_integer>

14 01-30005-0426-20070914
set hello-holdtime <holdtime_integer>

set hello-interval <hello_integer>
set neighbour-filter <access_list_name>
set passive {enable | disable}
set pim-mode {sparse-mode | dense-mode}
set propagation-delay <delay_integer>
set rp-candidate {enable | disable}
set rp-candidate-group <access_list_name>
set rp-candidate-interval <interval_integer>
set rp-candidate-priority <priority_integer>
set state-refresh-interval <refresh_integer>
set ttl-threshold <ttl_integer>
end
config join-group
edit address <address_ipv4>
end
config igmp
set access-group <access_list_name>
set immediate-leave-group <access_list_name>
set last-member-query-count <count_integer>
set last-member-query-interval <interval_integer>
set query-interval <interval_integer>
set query-max-response-time <time_integer>
set query-timeout <timeout_integer>
set router-alert-check { enable | disable }
set version {1 | 2 | 3}
end
end
config pim-sm-global
set accept-register-list <access_list_name>
set bsr-allow-quick-refresh {enable | disable}
set bsr-candidate {enable | disable}
set bsr-priority <priority_integer>
set bsr-interface <interface_name>
set bsr-hash <hash_integer>
set cisco-register-checksum {enable | disable}
set cisco-register-checksum-group <access_list_name>
set cisco-crp-prefix {enable | disable}
set cisco-ignore-rp-set-priority {enable | disable}
set message-interval <interval_integer>
set register-rate-limit <rate_integer>
set register-rp-reachability {enable | disable}
set register-source {disable | interface | ip-address}
set register-source-interface <interface_name>
set register-source-ip <address_ipv4>
set register-suppression <suppress_integer>
set rp-register-keepalive <keepalive_integer>
set spt-threshold {enable | disable}
set spt-threshold-group <access_list_name>
set ssm {enable | disable}
set ssm-range <access_list_name>
config rp-address
edit <rp_id>
set ip-address <address_ipv4>

01-30005-0426-20070914 15
set group <access_list_name>

end
end

You can configure a FortiGate unit to support PIM using the config router multicast CLI
command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping
information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping
information and if required, processes the multicast traffic associated with specific multicast groups.
Note: The end-user multicast client-server applications must be installed and configured to initiate
Internet connections and handle broadband content such as audio/video information.
Client applications send multicast data by registering IP traffic with a PIM-enabled router. An end-user
could type in a class D multicast group address, an alias for the multicast group address, or a call-
conference number to initiate the session. Rather than sending multiple copies of generated IP traffic
to more than one specific IP destination address, PIM-enabled routers encapsulate the data and use
the one multicast group address to forward multicast packets to multiple destinations. Because one
destination address is used, a single stream of data can be sent. Client applications receive multicast
data by requesting that the traffic destined for a certain multicast group address be delivered to them—
end-users may use phone books, a menu of ongoing or future sessions, or some other method through
a user interface to select the address of interest.
A class D address in the 224.0.0.0 to 239.255.255.255 range may be used as a multicast group
address, subject to the rules assigned by the Internet Assigned Numbers Authority (IANA). All class D
addresses must be assigned in advance. Because there is no way to determine in advance if a certain
multicast group address is in use, collisions may occur (to resolve this problem, end-users may switch
to a different multicast address).
To configure a PIM domain

1 If you will be using sparse mode, determine appropriate paths for multicast packets.
2 Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing
protocol.
3 If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs,
record the IP addresses of the PIM-enabled interfaces on those RPs.
4 Enable PIM version 2 on all participating routers between the source and receivers. On FortiGate units,
use the config router multicast command to set global operating parameters.
5 Configure the PIM routers that have good connections throughout the PIM domain to be candidate
BSRs.
6 If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
7 If required, adjust the default settings of PIM-enabled interface(s).
Note: All keywords are optional.

16 01-30005-0426-20070914
Variables Description Default

igmp-state-limit If memory consumption is an issue, specify a limit on the 3200
<limit_integer> number of IGMP states (multicast memberships) that the
FortiGate unit will store. The value represents the maximum
combined number of IGMP states (multicast memberships)
that can be handled by all interfaces. Traffic associated with
excess IGMP membership reports is not delivered. The range
is from 96 to 64 000.
multicast-routing {enable Enable or disable PIM routing. disable
| disable}
route-limit If memory consumption is an issue, set a limit on the number 214748367
<limit_integer> of multicast routes that can be added to the FortiGate routing 4
table. The range is from 1 to 2 147 483 674.
route-threshold Specify the number of multicast routes that can be added to 214748367
<threshold_integer> the FortiGate routing table before a warning message is 4
displayed. The route-threshold value must be lower than
the route-limit value. The range is from 1 to
2 147 483 674.
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation
(sparse or dense). Global settings do not override interface-specific settings.
Note: All keywords are optional.

edit <interface_name> Enter the name of the FortiGate interface on which to enable No default.
PIM protocols.
cisco-exclude-genid This keyword applies only when pim-mode is sparse-mode. disable
{enable | disable} Enable or disable including a generation ID in hello messages
sent to neighboring PIM routers. A GenID value may be
included for compatibility with older Cisco IOS routers.
dr-priority This keyword applies only when pim-mode is sparse-mode. 1
<priority_integer> Assign a priority to FortiGate DR candidacy. The range is from
1 to 4 294 967 294. The value is compared to that of other DR
interfaces connected to the same network segment, and the
router having the highest DR priority is selected to be the DR.
If two DR priority values are the same, the interface having
the highest IP address is selected.
hello-holdtime Specify the amount of time (in seconds) that a PIM neighbor 105
<holdtime_integer> may consider the information in a hello message to be valid.
The range is from 1 to 65 535.
If the hello-interval attribute is modified and the hello-
holdtime attribute has never been set explicitly, the hello-
holdtime attribute is set to 3.5 x hello-interval
automatically.
hello-interval Set the amount of time (in seconds) that the FortiGate unit 30
<hello_integer> waits between sending hello messages to neighboring PIM
routers. The range is from 1 to 65 535. Changing the hello-
interval attribute may update the hello-holdtime
attribute automatically.
neighbour-filter Establish or terminate adjacency with PIM neighbors having Null.
<access_list_name> the IP addresses given in the specified access list. See
“access-list” in the FortiGate CLI Reference.
passive {enable | Enable or disable PIM communications on the interface disable
disable} without affecting IGMP communications.

01-30005-0426-20070914 17

pim-mode {sparse-mode | Select the PIM mode of operation: sparse-
dense-mode} • Select sparse-mode to manage PIM packets through mode
distribution trees and multicast groups.
• Select dense-mode to enable multicast flooding.
propagation-delay This keyword is available when pim-mode is set to 500
<delay_integer> dense-mode.
Specify the amount of time (in milliseconds) that the FortiGate
unit waits to send prune-override messages. The range is
from 100 to 5 000.
rp-candidate {enable | This keyword is available when pim-mode is set to disable
disable} sparse-mode.
Enable or disable the FortiGate interface to offer Rendezvous
Point (RP) services.
rp-candidate-group This keyword is available when rp-candidate is set to Null.
<access_list_name> enable and pim-mode is set to sparse-mode.
Specify for which multicast groups RP candidacy is advertised
based on the multicast group prefixes given in the specified
access list. See “access-list” in the FortiGate CLI Reference.
rp-candidate-interval This keyword is available when rp-candidate is set to 60
<interval_integer> enable and pim-mode is set to sparse-mode.
Set the amount of time (in seconds) that the FortiGate unit
waits between sending RP announcement messages. The
range is from 1 to 16 383.
rp-candidate-priority This keyword is available when rp-candidate is set to 192
<priority_integer> enable and pim-mode is set to sparse-mode.
Assign a priority to FortiGate RP candidacy. The range is from
0 to 255. The BSR compares the value to that of other RP
candidates that can service the same multicast group, and the
router having the highest RP priority is selected to be the RP
for that multicast group. If two RP priority values are the
same, the RP candidate having the highest IP address on its
RP interface is selected.
state-refresh-interval This keyword is available when pim-mode is set to 60
<refresh_integer> dense-mode.
This attribute is used when the FortiGate unit is connected
directly to the multicast source. Set the amount of time (in
seconds) that the FortiGate unit waits between sending state-
refresh messages. The range is from 1 to 100. When a state-
refresh message is received by a downstream router, the
prune state on the downstream router is refreshed.
ttl-threshold Specify the minimum Time-To-Live (TTL) value (in hops) that 1
<ttl_integer> an outbound multicast packet must have in order to be
forwarded from the interface. Specifying a high value (for
example, 195) prevents PIM packets from being forwarded
through the interface. The range is from 0 to 255.
config join-group variables
edit address Cause the FortiGate interface to activate (IGMP join) the No default.
<address_ipv4> multicast group associated with the specified multicast group
address.
config igmp variables
access-group Specify which multicast groups hosts on the connected Null.
<access_list_name> network segment may join based on the multicast addresses
given in the specified access list. See “access-list” in the
FortiGate CLI Reference.

18 01-30005-0426-20070914

immediate-leave-group This keyword applies when version is set to 2 or 3. Null.
<access_list_name> Configure a FortiGate DR to stop sending traffic and IGMP
queries to receivers after receiving an IGMP version 2 group-
leave message from any member of the multicast groups
identified in the specified access list. See “access-list” in the
FortiGate CLI Reference.
last-member-query-count This keyword applies when version is set to 2 or 3. 2
<count_integer> Specify the number of times that a FortiGate DR sends an
IGMP query to the last member of a multicast group after
receiving an IGMP version 2 group-leave message.
last-member-query- This keyword applies when version is set to 2 or 3. 1000
interval Set the amount of time (in milliseconds) that a FortiGate DR
<interval_integer> waits for the last member of a multicast group to respond to
an IGMP query. The range is from 1000 to 25 500. If no
response is received before the specified time expires and the
FortiGate DR has already sent an IGMP query last-
member-query-count times, the FortiGate DR removes the
member from the group and sends a prune message to the
associated RP.
query-interval Set the amount of time (in seconds) that a FortiGate DR waits 125
<interval_integer> between sending IGMP queries to determine which members
of a multicast group are active. The range is from 1 to 65 535.
query-max-response-time Set the maximum amount of time (in seconds) that a 10
<time_integer> FortiGate DR waits for a member of a multicast group to
respond to an IGMP query. The range is from 1 to 25. If no
response is received before the specified time expires, the
FortiGate DR removes the member from the group.
query-timeout Set the amount of time (in seconds) that must expire before a 255
<timeout_integer> FortiGate unit begins sending IGMP queries to the multicast
group that is managed through the interface. The range is
from 60 to 300. A FortiGate unit begins sending IGMP queries
if it does not receive regular IGMP queries from another DR
through the interface.
router-alert-check { Enable to require the Router Alert option in IGMP packets. disabled
enable | disable }
version {1 | 2 | 3} Specify the version number of IGMP to run on the interface. 3
The value can be 1, 2, or 3. The value must match the version
used by all other PIM routers on the connected network
segment.
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not
override interface-specific PIM settings.
If sparse mode is enabled, you can configure a DR to send multicast packets to a particular RP by
specifying the IP address of the RP through the config rp-address subcommand. The IP address
must be directly accessible to the DR. If multicast packets from more than one multicast group can
pass through the same RP, you can use an access list to specify the associated multicast group
addresses.
Note: To send multicast packets to a particular RP using the config rp-address subcommand, the
ip-address keyword is required. All other keywords are optional.

01-30005-0426-20070914 19

accept-register-list Cause a FortiGate RP to accept or deny register packets Null.
<access_list_name> from the source IP addresses given in the specified access
list. See “access-list” in the FortiGate CLI Reference.
bsr-allow-quick-refresh Enable or disable accepting bsr quick refresh packets from disable
{enable | disable} neighbors.
bsr-candidate {enable | Enable or disable the FortiGate unit to offer its services as a disable
disable} Boot Strap Router (BSR) when required.
bsr-priority This keyword is available when bsr-candidate is set to 0
<priority_integer> enable.
Assign a priority to FortiGate BSR candidacy. The range is
from 0 to 255. The value is compared to that of other BSR
candidates and the candidate having the highest priority is
selected to be the BSR. If two BSR priority values are the
same, the BSR candidate having the highest IP address on
its BSR interface is selected.
bsr-interface This keyword is available when bsr-candidate is set to Null.
<interface_name> enable.
Specify the name of the PIM-enabled interface through
which the FortiGate unit may announce BSR candidacy.
bsr-hash <hash_integer> This keyword is available when bsr-candidate is set to 10
enable.
Set the length of the mask (in bits) to apply to multicast
group addresses in order to derive a single Rendezvous
Point (RP) for one or more multicast groups. The range is
from 0 to 32. For example, a value of 24 means that the first
24 bits of the group address are significant. All multicast
groups having the same seed hash belong to the same RP.
cisco-crp-prefix {enable Enable or disable a FortiGate RP that has a group prefix disable
| disable} number of 0 to communicate with a Cisco BSR. You may
choose to enable the attribute if required for compatibility
with older Cisco BSRs.
cisco-ignore-rp-set- Enable or disable a FortiGate BSR to recognize Cisco RP- disable
priority {enable | SET priority values when deriving a single RP for one or
disable} more multicast groups. You may choose to enable the
attribute if required for compatibility with older Cisco RPs.
cisco-register-checksum Enable or disable performing a register checksum on entire disable
{enable | disable} PIM packets. A register checksum is performed on the
header only by default. You may choose to enable register
checksums on the whole packet for compatibility with older
Cisco IOS routers.
cisco-register-checksum- This keyword is available when cisco-register- Null.
group <access_list_name> checksum is set to enable.
Identify on which PIM packets to perform a whole-packet
register checksum based on the multicast group addresses
in the specified access list. See “access-list” in the FortiGate
CLI Reference. You may choose to enable register
checksums on entire PIM packets for compatibility with
older Cisco IOS routers.
message-interval Set the amount of time (in seconds) that the FortiGate unit 60
<interval_integer> waits between sending periodic PIM join/prune messages
(sparse mode) or prune messages (dense mode). The value
must be identical to the message interval value set on all
other PIM routers in the PIM domain. The range is from 1 to
65 535.
register-rate-limit Set the maximum number of register messages per (S,G) 0
<rate_integer> per second that a FortiGate DR can send for each PIM entry
in the routing table. The range is from 0 to 65 535, where 0
means an unlimited number of register messages per
second.

20 01-30005-0426-20070914

register-rp-reachability Enable or disable a FortiGate DR to check if an RP is enable
{enable | disable} accessible prior to sending register messages.
register-source {disable If the FortiGate unit acts as a DR, enable or disable ip-address
| interface | ip-address} changing the IP source address of outbound register
packets to one of the following IP addresses. The IP
address must be accessible to the RP so that the RP can
respond to the IP address with a Register-Stop message:
• To retain the IP address of the FortiGate DR interface
that faces the RP, select disable.
• To change the IP source address of a register packet to
the IP address of a particular FortiGate interface, select
interface. The register-source-interface
attribute specifies the interface name.
• To change the IP source address of a register packet to
a particular IP address, select ip-address. The
register-source-ip attribute specifies the IP
address.
register-source-interface This keyword is available when register-source is set Null.
<interface_name> to interface.
Enter the name of the FortiGate interface.
register-source-ip This keyword is available when register-source is set 0.0.0.0
<address_ipv4> to address.
Enter the IP source address to include in the register
message.
register-suppression Enter the amount of time (in seconds) that a FortiGate DR 60
<suppress_integer> waits to start sending data to an RP after receiving a
Register-Stop message from the RP. The range is from 1 to
65 535.
rp-register-keepalive If the FortiGate unit acts as an RP, set the frequency (in 185
<keepalive_integer> seconds) with which the FortiGate unit sends keepalive
messages to a DR. The range is from 1 to 65 535. The two
routers exchange keepalive messages to maintain a link for
as long as the source continues to generate traffic.
If the register-suppression attribute is modified on the
RP and the rp-register-keepalive attribute has never
been set explicitly, the rp-register-keepalive attribute
is set to (3 x register-suppression) + 5 automatically.
spt-threshold {enable | Enable or disable the FortiGate unit to build a Shortest Path enable
disable} Tree (SPT) for forwarding multicast packets.
spt-threshold-group This keyword is available when spt-threshold is set to Null.
<access_list_name> enable.
Build an SPT only for the multicast group addresses given in
the specified access list. See “access-list” in the FortiGate
CLI Reference.
ssm {enable | disable} This keyword is available when the IGMP version is set enable
to 3.
Enable or disable Source Specific Multicast (SSM)
interactions (see RFC 3569).
ssm-range This keyword is available when ssm is set to enable. Null.
<access_list_name> Enable SSM only for the multicast addresses given in the
specified access list. See “access-list” in the FortiGate CLI
Reference. By default, multicast addresses in the 232.0.0.0
to 232.255.255.255 (232/8) range are used to support SSM
interactions.

01-30005-0426-20070914 21

config rp-address variables Applies only when pim-mode is sparse-mode.
edit <rp_id> Enter an ID number for the static RP address entry. The No default.
number must be an integer.
ip-address <address_ipv4> Specify a static IP address for the RP. 0.0.0.0
group <access_list_name> Configure a single static RP for the multicast group Null.
addresses given in the specified access list. See “access-
list” in the FortiGate CLI Reference. If an RP for any of
these group addresses is already known to the BSR, the
static RP address is ignored and the RP known to the BSR
is used instead.
Example
This example shows how to enable a FortiGate unit to support PIM routing in sparse mode and enable
BSR candidacy on the dmz interface:
set multicast-routing enable
config interface
edit dmz
set pim-mode sparse-mode
end
end
set bsr-candidate enable
set bsr-priority 1
set bsr-interface dmz
set bsr-hash 24
end
This example shows how to enable RP candidacy on the port1 interface for the multicast group
addresses given through an access list named multicast_port1:
config interface
edit port1
set rp-candidate enable
set rp-candidate-group multicast_port1
set rp-candidate-priority 15
end
end

22 01-30005-0426-20070914
Multicast routing examples
Multicast routing examples

This chapter contains the following multicast routing configuration examples and information:
• Example FortiGate PIM-SM configuration using a static RP
• FortiGate PIM-SM debugging examples
• Example multicast destination NAT (DNAT) configuration
• Example PIM configuration that uses BSR to find the RP
Figure 2: Example FortiGate PIM-SM topology
Multicast Source Cisco_3750 _1 router

169.254.82.1 RP for group 233.234.200.x
233.254.200.1 (169.254.100.1 loopback0)
FE0/23 (.250)
169.254.82.0/24
FE0/24 (.1)
Cisco_3750_2 router
FE0/23 (.250)
10.31.138.0/24
VLAN 138
external (.253)
FortiGate-800
internal (.1)
10.31.130.0/24
VLAN 130
FE0/24 (.250)
Cisco_3750_3 router
FE0/23 (.130)
10.31.128.128/30
Receiver (.129)
Group 233.254.200.1

01-30005-0426-20070914 23
Example FortiGate PIM-SM configuration using a static RP Multicast routing examples
Example FortiGate PIM-SM configuration using a static RP

The example Protocol Independent Multicast Sparse Mode (PIM-SM) configuration shown in Figure 2
has been tested for multicast interoperability using PIM-SM between Cisco 3750 switches running 12.2
and a FortiGate-800 running FortiOS v3.0 MR5 patch 1. In this configuration, the receiver receives the
multicast stream when it joins the group 233.254.200.1.
The configuration uses a statically configured rendezvous point (RP) which resides on the
Cisco_3750_1. Using a bootstrap router (BSR) was not tested in this example. See “Example PIM
configuration that uses BSR to find the RP” on page 37 for an example that uses a BSR.
Configuration steps
The following procedures show how to configure the multicast configuration settings for the devices in
the example configuration.
• Cisco_3750_1 router configuration
• To configure the FortiGate-800 unit
Cisco_3750_1 router configuration

version 12.2
!
hostname Cisco-3750-1
!
switch 1 provision ws-c3750-24ts
ip subnet-zero
ip routing
!
ip multicast-routing distributed
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface Loopback0
ip address 169.254.100.1 255.255.255.255
!
interface FastEthernet1/0/23
switchport access vlan 182
switchport mode access
!
!
interface Vlan172
ip address 10.31.138.1 255.255.255.0
ip pim sparse-mode
ip igmp query-interval 125
ip mroute-cache distributed
!
interface Vlan182

24 01-30005-0426-20070914
Multicast routing examples Example FortiGate PIM-SM configuration using a static RP
ip address 169.254.82.250 255.255.255.0

ip pim sparse-mode
!
ip classless
ip route 0.0.0.0 0.0.0.0 169.254.82.1
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255

version 12.2
!
!
ip subnet-zero
ip routing
!
!
!
!
!
interface Vlan138
ip address 10.31.138.250 255.255.255.0
ip pim sparse-mode
!
interface Vlan182
ip address 169.254.82.1 255.255.255.0
ip pim sparse-mode
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.138.253
ip route 169.254.100.1 255.255.255.255 169.254.82.250
ip http server
!
!

01-30005-0426-20070914 25

permit 233.254.200.0 0.0.0.255
To configure the FortiGate-800 unit

1 Configure the internal and external interfaces.
config system interface
edit "internal"
set vdom "root"
set ip 10.31.130.1 255.255.255.0
set allowaccess ping https
set type physical
next
edit "external"
set vdom "root"
set ip 10.31.138.253 255.255.255.0
set allowaccess ping
set type physical
end
end
2 Add a firewall address for the RP.
config firewall address
edit "RP"
set subnet 169.254.100.1/32
end
3 Add standard firewall policies to allow traffic to reach the RP.
config firewall policy
edit 1
set srcintf "internal"
set dstintf "external"
set srcaddr "all"
set dstaddr "RP"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "external"
set dstintf "internal"
set srcaddr "RP"
set dstaddr "all"
set action accept
set service "ANY"
end
4 Add the multicast firewall policy.
edit 1
set dstaddr 233.254.200.0 255.255.255.0
set dstintf "internal"
set srcaddr 169.254.82.0 255.255.255.0
set srcintf "external"

26 01-30005-0426-20070914
Multicast routing examples Example FortiGate PIM-SM configuration using a static RP
end
5 Add an access list.
config router access-list
edit "Source-RP"
config rule
edit 1
set prefix 233.254.200.0 255.255.255.0
set exact-match disable
next
end
6 Add some static routes.
config router static
edit 1
set device "internal"
set gateway 10.31.130.250
next
edit 2
set device "external"
set dst 169.254.0.0 255.255.0.0
set gateway 10.31.138.250
next
7 Configure multicast routing.
config interface
edit "internal"
config igmp
set version 2
end
next
edit "external"
config igmp
set version 2
end
next
end
config rp-address
edit 1
set ip-address 169.254.100.1
set group "Source-RP"
next

version 12.2
!
!
ip subnet-zero

01-30005-0426-20070914 27
ip routing
!
!
!
!
!
interface Vlan128
ip address 10.31.128.130 255.255.255.252
ip pim sparse-mode
!
interface Vlan130
ip address 10.31.130.250 255.255.255.0
ip pim sparse-mode
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.130.1
ip http server
!
!
permit 233.254.200.0 0.0.0.255

28 01-30005-0426-20070914
Multicast routing examples FortiGate PIM-SM debugging examples
FortiGate PIM-SM debugging examples

Using the example topology shown in Figure 3 you can trace the multicast streams and states within
the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug commands described in this
section. The command output in this section is taken from FortiGate unit running FortiOS v3.0 MR5
patch 1 when the multicast stream is flowing correctly from source to receiver.
Figure 3: PIM-SM debugging topology
Multicast Source (.11)

239.255.255.1
10.166.0.0/24
internal
FGT-1 (.237)
external
10.130.0.0/24
internal
FGT-2 (.156)
RP 192.168.1.1/32
(loopback)
external
10.132.0.0/24
port2
FGT-3 (.226)
port3
10.167.0.0/24
Receiver (.62)
Checking that the receiver has joined the required group

From the last hop router, FGT-3, you can use the following command to check that the receiver has
correctly joined the required group.
FGT-3 # get router info multicast igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62

01-30005-0426-20070914 29
FortiGate PIM-SM debugging examples Multicast routing examples
Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query
request from the FGT-3. If a receiver is active the expire time should drop to approximately 2 minutes
before being refreshed.
Checking the PIM-SM neighbors

Next the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM
router receives a PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3.
FGT-3 # get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
10.132.0.156 port2 01:57:12/00:01:33 v2 1 /
Checking that the PIM router can reach the RP

The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G
join to request the stream. This can be checked for FGT-3 using the following command:
FGT-3 # get router info multicast pim sparse-mode rp-mapping
PIM Group-to-RP Mappings
Group(s): 224.0.0.0/4, Static
RP: 192.168.1.1
Uptime: 07:23:00
Viewing the multicast routing table (FGT-3)

The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at
192.168.1.1. You can then check the stream state entries using the following commands:
FGT-3 # get router info multicast pim sparse-mode table
IP Multicast Routing Table
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
Table 2: Stream states
(*,*,RP) Entries This state may be reached by general joins for all groups served by a specified RP.
(*,G) Entries State that maintains the RP tree for a given group.
(S,G) Entries State that maintains a source-specific tree for source S and group G.
(S,G,rpt) State that maintains source-specific information about source s on the RP tree for G. For
Entries example, if a source is being received on the source-specific tree, it will normally have
been pruned off the RP tree.
FCR The FCR state entries are for tracking the sources in the <*, G> when <S, G> is not
available for any reason, the stream would typically be flowing when this state exists.
Breaking down each entry in detail:

(*, 239.255.255.1)
RP: 192.168.1.1
RPF nbr: 10.132.0.156
RPF idx: port2
Upstream State: JOINED

30 01-30005-0426-20070914
Local:
port3
Joined:
Asserted:
FCR:
The RP will always be listed in a *,G entry, the RPF neighbor and interface index will also be shown.
In this topology these are the same in all downstream PIM routers. The state is active so the upstream
state is joined.
In this case FGT-3 is the last hop router so the IGMP join is received locally on port3. There is no PIM
outgoing interface listed for this entry as it is used for the upstream PIM join.
(10.166.0.11, 239.255.255.1)
RPF nbr: 10.132.0.156
RPF idx: port2
SPT bit: 1
Local:
Joined:
Asserted:
Outgoing:
port3
This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the stated
outgoing interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 10.132.0.156
RPF idx: port2
Upstream State: NOT PRUNED
Local:
Pruned:
Outgoing:
The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry on the
router. This is not pruned in this case because of the topology, the RP and source are reachable over
the same interface.
Although not seen in this scenario, assert states may be seen when multiple PIM routers exist on the
same LAN which can lead to more than one upstream router having a valid forwarding state. Assert
messages are used to elect a single forwarder from the upstream devices.
Viewing the PIM next-hop table

The PIM next-hop table is also very useful for checking the various states, it can be used to quickly
identify the states of multiple multicast streams
FGT-3 # get router info multicast pim sparse-mode next-hop
Flags: N = New, R = RP, S = Source, U = Unreachable
Destination Type Nexthop Nexthop Nexthop Metric Pref Refcnt
Num Addr Ifindex
___________________________________________________________________________
10.166.0.11 ..S. 1 10.132.0.156 9 21 110 3
192.168.1.1 .R.. 1 10.132.0.156 9 111 110 2

01-30005-0426-20070914 31
FortiGate PIM-SM debugging examples Multicast routing examples
Viewing the PIM multicast forwarding table

Also you can check the multicast forwarding table showing the ingress and egress ports of the
multicast stream.
FGT-3 # get router info multicast table

Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.166.0.11, 239.255.255.1), uptime 04:02:55, stat expires 00:02:25

Owner PIM-SM, Flags: TF
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)
Viewing the kernel forwarding table

Also the kernel forwarding table can be verified, however this should give similar information to the
above command:
FGT-3 # diag ip multicast mroute
grp=239.255.255.1 src=10.166.0.11 intf=9 flags=(0x10000000)[ ]
status=resolved
last_assert=2615136 bytes=1192116 pkt=14538 wrong_if=0 num_ifs=1
index(ttl)=[6(1),]

If you check the output on FGT-2 there are some small differences:
FGT-2 # get router info multicast pim sparse-mode table
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
FCR Entries: 0
(*, 239.255.255.1)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Local:
Joined:
external
Asserted:
FCR:
The *,G entry now has a joined interface rather than local because it has received a PIM join from
FGT-3 rather than a local IGMP join.
(10.166.0.11, 239.255.255.1)
RPF nbr: 10.130.0.237

32 01-30005-0426-20070914
RPF idx: internal

SPT bit: 1
Local:
Joined:
external
Asserted:
Outgoing:
external
The S,G entry shows that we have received a join on the external interface and the stream is being
forwarded out of this interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: PRUNED
Local:
Pruned:
Outgoing:
External
The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the SPT for the RP
to the first hop router.

FGT-1 again has some differences with regard to the PIM-SM states, there is no *,G entry because it
is not in the path of a receiver and the RP.
FGT-1_master # get router info multicast pim sparse-mode table
(*,*,RP) Entries: 0
(*,G) Entries: 0
(S,G) Entries: 1
FCR Entries: 0
Below the S,G is the SPT termination because this FortiGate unit is the first hop router, the RPF
neighbor always shows as 0.0.0.0 because the source is local to this device. Both the joined and
outgoing fields show as external because the PIM join and the stream is egressing on this interface.
(10.166.0.11, 239.255.255.1)
RPF nbr: 0.0.0.0
RPF idx: None
SPT bit: 1
Local:
Joined:
external
Asserted:
Outgoing:
external
The stream has been pruned back from the RP because the end-to-end SPT is flowing, there is no
requirement for the stream to be sent to the RP in this case.

01-30005-0426-20070914 33
Example multicast destination NAT (DNAT) configuration Multicast routing examples
(10.166.0.11, 239.255.255.1, rpt)

RP: 0.0.0.0
RPF nbr: 10.130.0.156
RPF idx: external
Upstream State: RPT NOT JOINED
Local:
Pruned:
Outgoing:
Example multicast destination NAT (DNAT) configuration

The example topology shown in Figure 4 and described below shows how to configure destination
NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP
address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2
multicast NAT policies.
In this example the FortiGate units in Figure 4 have the following roles:
• FGT-1 is the RP for dirty networks, 233.0.0.0/8.
• FGT-2 performs all firewall and DNAT translations.
• FGT-3 is the RP for the clean networks, 239.254.0.0/16.
• FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM
enabled router.
This example only describes the configuration of FGT-2.
FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated
multicast streams.
• If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and
233.2.2.1; FGT-3 translates the source and destination IPs to 192.168.20.1 and 239.254.1.1
• If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and
233.3.3.1; FGT-3 translates the source and destination IPs to 192.168.20.10 and 239.254.3.1

34 01-30005-0426-20070914
Multicast routing examples Example multicast destination NAT (DNAT) configuration
Figure 4: Example multicast DNAT topology
Multicast Source
IP 10.166.0.11/24
Group 233.2.2.1
Group 233.3.3.1
10.166.0.0/24
FGT-1
RP for groups
233.0.0.0/8
10.125.0.0/24
Source IP: 10.166.0.11
Source IP: 10.166.0.11 port6 FGT-2 (FW) Destination IP: 233.3.3.1
Destination IP: 233.2.2.1
Loopback interface
192.168.20.1/24 NAT
NAT Static join configured for group 233.2.2.1
port7
Source IP: 192.168.20.10
Source IP: 192.168.20.1
Destination IP: 239.254.3.1
Destination IP: 239.254.1.1 10.126.0.0/24
FGT-3
BSR and RP for group
239.254.0.0/16
10.127.0.0/24
Multicast Receiver
IP 10.127.0.62/24
Group 239.254.1.1
Group 239.254.3.1
To configure FGT-2 for DNAT multicast

1 Add a loopback interface. In the example, the loopback interface is named loopback.
edit "loopback"
set vdom "root"
set ip 192.168.20.1 255.255.255.0
set type loopback
next
end
2 Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed
interface. Also add static joins to the loopback interface for any groups to be translated.
config interface
edit "loopback"
config join-group
edit 233.2.2.1
next
edit 233.3.3.1

01-30005-0426-20070914 35
Example multicast destination NAT (DNAT) configuration Multicast routing examples
next
end
next
3 In this example, to add firewall multicast policies, different source IP addresses are required so you
must first add an IP pool:
config firewall ippool
edit "Multicast_source"
set endip 192.168.20.20
set interface "port6"
set startip 192.168.20.10
next
end
4 Add the translation firewall policies.
Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy,
uses an address from the IP pool.
edit 1
set dnat 239.254.3.1
set dstaddr 233.3.3.1 255.255.255.255
set dstintf "loopback"
set nat 192.168.20.10
set srcaddr 10.166.0.11 255.255.255.255
set srcintf "port6"
next
edit 2
set dnat 239.254.1.1
set dstaddr 233.2.2.1 255.255.255.255
set dstintf "loopback"
set nat 192.168.20.1
set srcaddr 10.166.0.11 255.255.255.255
set srcintf "port6"
next
5 Add a firewall multicast policy to forward the stream from the loopback interface to the physical
outbound interface.
This example is an any/any policy that makes sure traffic accepted by the other multicast policies can
exit the FortiGate unit.
edit 3
set dstintf "port7"
set srcintf "loopback"
next

36 01-30005-0426-20070914
Multicast routing examples Example PIM configuration that uses BSR to find the RP
Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of 4
FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4, see Figure 5). A multicast sender is
connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to
reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of
using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1
group (source).
This example describes:
• Commands used in this example
• Configuration steps
• Example debug commands
Figure 5: PIM network topology using BSR to find the RP
Cisco 2611
Cisco 3550 router
FortiGate-500A_1 switch
RP for 237.1.1.1
237.1.1.1
238.1.1.1
Receiver 1
Cisco 3640 FortiGate-500A_2
Sender router
FortiGate-500A_3
RP for others
Priority 256
FortiGate-500A_4
RP for others
Priority 1
Receiver 2
Commands used in this example

This example uses CLI commands for the following configuration settings:
• Adding a loopback interface (lo0)
• Defining the multicast routing
• Adding the NAT multicast policy

01-30005-0426-20070914 37
Example PIM configuration that uses BSR to find the RP Multicast routing examples
Adding a loopback interface (lo0)

Where required, the following command is used to define a loopback interface named lo0.
edit "lo0"
set vdom "root"
set ip 1.4.50.4 255.255.255.255
set allowaccess ping https ssh snmp http telnet
set type loopback
next
end
Defining the multicast routing

In this example, the following command syntax is used to define multicast routing. The example uses a
Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under
interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).
config interface
edit "port6"
next
edit "port1"
next
edit "lo0"
config join-group
edit 236.1.1.1
next
end
next
end
set bsr-allow-quick-refresh enable
set bsr-interface "lo0"
set bsr-priority 200
end
end
Adding the NAT multicast policy

In this example, the incoming multicast policy does the address translation. The NAT address should
be the same as the IP address of the of loopback interface. The DNAT address is the translated
address, which should be a new group.
edit 1
set dstintf "port6"
set srcintf "lo0"
next

38 01-30005-0426-20070914
edit 2
set dnat 238.1.1.1
set dstintf "lo0"
set nat 1.4.50.4
set srcintf "port1"
next
Configuration steps
In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and
FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example
to distribute routes including the loopback interface. All firewalls have full mesh firewall policies to
allow any to any.
• In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to
237.1.1.1
• In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1
• Source 236.1.1.1 is injected into network as well.
The following procedures include the CLI commands for configuring each of the FortiGate units in the
example configuration.
To configure FortiGate-500A_1
config interface
edit "port5"
next
edit "port4"
next
edit "lan"
next
edit "port1"
next
edit "lo999"
next
edit "lo0"
set rp-candidate-group "1"
next
end
end
end
2 Add multicast firewall policies.

01-30005-0426-20070914 39

edit 1
set dstintf "port5"
set srcintf "port4"
next
edit 2
set dstintf "port4"
set srcintf "port5"
next
edit 3
next
end
3 Add router access lists.
config router access-list
edit "1"
config rule
edit 1
set prefix 228.1.1.1 255.255.255.255
set exact-match enable
next
edit 2
set prefix 237.1.1.1 255.255.255.255
next
edit 3
set prefix 238.1.1.1 255.255.255.255
next
end
next
end
config interface
edit "lan"
next
edit "port5"
next
edit "port2"
next
edit "port4"
next
edit "lo_5"
config join-group
edit 236.1.1.1
next

40 01-30005-0426-20070914
end
next
end
end
edit 1
set dstintf "lan"
set srcintf "port5"
next
edit 2
set dstintf "port5"
set srcintf "lan"
next
edit 4
set dstintf "lan"
set srcintf "port2"
next
edit 5
set dstintf "port2"
set srcintf "lan"
next
edit 7
set dstintf "port1"
set srcintf "port2"
next
edit 8
set dstintf "port2"
set srcintf "port1"
next
edit 9
set dstintf "port5"
set srcintf "port2"
next
edit 10
set dstintf "port2"
set srcintf "port5"
next
edit 11
set dnat 237.1.1.1
set dstintf "lo_5"
set nat 5.5.5.5
set srcintf "port2"
next
edit 12
set dstintf "lan"
set srcintf "lo_5"
next
edit 13
set dstintf "port1"
set srcintf "lo_5"
next

01-30005-0426-20070914 41
edit 14
set dstintf "port5"
set srcintf "lo_5"
next
edit 15
set dstintf "port2"
set srcintf "lo_5"
next
edit 16
next
end
config interface
edit "port5"
next
edit "port6"
next
edit "lo0"
next
edit "lan"
next
end
end
end
edit 1
set dstintf "port5"
set srcintf "port6"
next
edit 2
set dstintf "port6"
set srcintf "port5"
next
edit 3
set dstintf "port6"
set srcintf "lan"
next
edit 4
set dstintf "lan"

42 01-30005-0426-20070914
set srcintf "port6"

next
edit 5
set dstintf "port5"
set srcintf "lan"
next
edit 6
set dstintf "lan"
set srcintf "port5"
next
end
config interface
edit "port6"
next
edit "lan"
next
edit "port1"
next
edit "lo0"
config join-group
edit 236.1.1.1
next
end
next
end
set bsr-allow-quick-refresh enable
set bsr-priority 1
end
end
config firewall policy
edit 1
set srcintf "lan"
set dstintf "port6"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"

01-30005-0426-20070914 43
next
edit 2
set srcintf "port6"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 3
set srcintf "port1"
set dstintf "port6"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 4
set srcintf "port6"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 5
set srcintf "port1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 6
set srcintf "lan"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 7
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"

44 01-30005-0426-20070914
next
edit 8
set srcintf "port6"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 9
set srcintf "port1"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 10
set srcintf "lan"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
end

01-30005-0426-20070914 45
Example debug commands

You can use the following CLI commands to view information about and status of the multicast
configuration. This section includes get and diagnose commands and some sample output.
get router info multicast pim sparse-mode table 236.1.1.1
get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
83.97.1.2 port6 02:22:01/00:01:44 v2 1 / DR
diagnose ip multicast mroute

status=resolved
index(ttl)=[6(1),10(1),]
status=resolved
index(ttl)=[7(1),6(1),]
status=resolved
index(ttl)=[7(1),]
get router info multicast igmp groups

IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
236.1.1.1 lan 00:45:48 00:03:21 10.4.1.1
236.1.1.1 lo0 02:19:31 00:03:23 1.4.50.4
get router info multicast pim sparse-mode interface

Address Interface VIFindex Ver/ Nbr DR DR
Mode Count Prior
10.4.1.2 lan 2 v2/S 0 1 10.4.1.2
83.97.1.1 port6 0 v2/S 1 1 83.97.1.2
1.4.50.4 lo0 3 v2/S 0 1 1.4.50.4
get router info multicast pim sparse-mode rp-mapping

PIM Group-to-RP Mappings
This system is the Bootstrap Router (v2)
Group(s): 224.0.0.0/4
RP: 1.4.50.4
Info source: 1.4.50.4, via bootstrap, priority 1
Uptime: 02:20:32, expires: 00:01:58
RP: 1.4.50.3
Uptime: 02:20:07, expires: 00:02:24
Group(s): 228.1.1.1/32
RP: 1.4.50.1

46 01-30005-0426-20070914

Uptime: 02:18:24, expires: 00:02:06
Group(s): 237.1.1.1/32
RP: 1.4.50.1
Uptime: 02:18:24, expires: 00:02:06
Group(s): 238.1.1.1/32
RP: 1.4.50.1
Uptime: 02:18:24, expires: 00:02:06
get router info multicast pim sparse-mode bsr-info

PIMv2 Bootstrap information
This system is the Bootstrap Router (BSR)
BSR address: 1.4.50.4
Uptime: 02:23:08, BSR Priority: 1, Hash mask length: 10
Next bootstrap message in 00:00:18
Role: Candidate BSR
State: Elected BSR
Candidate RP: 1.4.50.4(lo0)

Advertisement interval 60 seconds
Next Cand_RP_advertisement in 00:00:54

01-30005-0426-20070914 47

48 01-30005-0426-20070914
www.fortinet.com
www.fortinet.com

Technical Note

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Technical Note

Hochgeladen von

Copyright:

Verfügbare Formate

TECHNICAL NOTE

FortiGate multicast forwarding......................................................... 7

Configuring FortiGate multicast routing........................................ 13

Multicast routing examples............................................................. 23

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Example multicast destination NAT (DNAT) configuration ......................... 34

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Version Description of changes

About FortiGate multicast

About this document

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

• Multicast routing examples describes multicast routing configuration examples

Fortinet Tools and Documentation CD

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Customer service and technical support

Register your Fortinet product

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

FortiGate multicast forwarding

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Table 1: Reserved Multicast address ranges

Reserved Address Range Use Notes

Multicast forwarding and FortiGate units

Multicast forwarding and RIPv2

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Members of Receiver_1 Receiver_3

Sender on the Marketing

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Configuring FortiGate multicast forwarding

Adding multicast firewall policies

Command syntax pattern

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Keywords and variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Enabling multicast forwarding

Enter the following CLI command to enable multicast forwarding:

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Configuring FortiGate multicast

config router multicast

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Command syntax pattern

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

set hello-holdtime <holdtime_integer>

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

set group <access_list_name>

config router multicast

To configure a PIM domain

Note: All keywords are optional.

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

Note: All keywords are optional.

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Variables Description Default

FortiGate Multicast FortiOS v3.0 MR5 Technical Note

Multicast routing examples