Example PIM configuration that uses BSR to find the RP
This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).
This example describes:
- Commands used in this example
- Configuration steps
- Example debug commands
PIM network topology using BSR to find the RP
Commands used in this example
This example uses CLI commands for the following configuration settings:
- Adding a loopback interface (lo0)
- Defining the multicast routing
- Adding the NAT multicast policy
Adding a loopback interface (lo0)
Where required, the following command is used to define a loopback interface named lo0.
config system interface
edit lo0
set vdom root
set ip 1.4.50.4 255.255.255.255
set allowaccess ping https ssh snmp http telnet
set type loopback
next
end
Defining the multicast routing
In this example, the following command syntax is used to define multicast routing.
The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).
config router multicast
config interface
edit port6
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
config join-group
edit 236.1.1.1
next
end
set rp-candidate-priority 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-allow-quick-refresh enable
set bsr-candidate enable
set bsr-interface lo0
set bsr-priority 200
end
end
Adding the NAT multicast policy
In this example, the incoming multicast policy does the address translation.
The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group.
config firewall multicast-policy
edit 1
set dstintf port6
set srcintf lo0
next
edit 2
set dnat 238.1.1.1
set dstintf lo0
set nat 1.4.50.4
set srcintf port1
next
Configuration steps
In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh security policies to allow any to any.
- In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to 237.1.1.1
- In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1
- Source 236.1.1.1 is injected into network as well.
The following procedures include the CLI commands for configuring each of the FortiGate units in the example configuration.
To configure FortiGate-500A_1
- Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port4
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo999
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-group 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
- Add multicast security policies.
config firewall multicast-policy
edit 1
set dstintf port5
set srcintf port4
next
edit 2
set dstintf port4
set srcintf port5
next
edit 3
next
end
- Add router access lists.
config router access-list
edit 1
config rule
edit 1
set prefix 228.1.1.1 255.255.255.255
set exact-match enable
next
edit 2
set prefix 237.1.1.1 255.255.255.255
set exact-match enable
next
edit 3
set prefix 238.1.1.1 255.255.255.255
set exact-match enable
next
end
next
end
To configure FortiGate-500A_2
- Configure multicast routing.
config router multicast
config interface
edit "lan"
set pim-mode sparse-mode
next
edit "port5"
set pim-mode sparse-mode
next
edit "port2"
set pim-mode sparse-mode
next
edit "port4"
set pim-mode sparse-mode
next
edit "lo_5"
set pim-mode sparse-mode
config join-group
edit 236.1.1.1
next
end
next
end
set multicast-routing enable
end
- Add multicast security policies.
config firewall multicast-policy
edit 1
set dstintf lan
set srcintf port5
next
edit 2
set dstintf port5
set srcintf lan
next
edit 4
set dstintf lan
set srcintf port2
next
edit 5
set dstintf port2
set srcintf lan
next
edit 7
set dstintf port1
set srcintf port2
next
edit 8
set dstintf port2
set srcintf port1
next
edit 9
set dstintf port5
set srcintf port2
next
edit 10
set dstintf port2
set srcintf port5
next
edit 11
set dnat 237.1.1.1
set dstintf lo_5
set nat 5.5.5.5
set srcintf port2
next
edit 12
set dstintf lan
set srcintf lo_5
next
edit 13
set dstintf port1
set srcintf lo_5
next
edit 14
set dstintf port5
set srcintf lo_5
next
edit 15
set dstintf port2
set srcintf lo_5
next
edit 16
next
end
To configure FortiGate-500A_3
- Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port6
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-priority 255
next
edit lan
set pim-mode sparse-mode
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
- Add multicast security policies.
config firewall multicast-policy
edit 1
set dstintf port5
set srcintf port6
next
edit 2
set dstintf port6
set srcintf port5
next
edit 3
set dstintf port6
set srcintf lan
next
edit 4
set dstintf lan
set srcintf port6
next
edit 5
set dstintf port5
set srcintf lan
next
edit 6
set dstintf lan
set srcintf port5
next
end
To configure FortiGate-500A_4
- Configure multicast routing.
config router multicast
config interface
edit port6
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
config join-group
edit 236.1.1.1
next
end
set rp-candidate-priority 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-allow-quick-refresh enable
set bsr-candidate enable
set bsr-interface lo0
set bsr-priority 1
end
end
- Add multicast security policies.
config firewall policy
edit 1
set srcintf lan
set dstintf port6
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2
set srcintf port6
set dstintf lan
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3
set srcintf port1
set dstintf port6
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 4
set srcintf port6
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 5
set srcintf port1
set dstintf lan
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 6
set srcintf lan
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 7
set srcintf port1
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 8
set srcintf port6
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 9
set srcintf port1
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 10
set srcintf lan
set dstintf lo0
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
end
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
