Fortinet black logo

Handbook

Example PIM configuration that uses BSR to find the RP

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:920118
Download PDF

Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A devices (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.

The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

This example describes:

  • Commands used in this example
  • Configuration steps
  • Example debug commands
PIM network topology using BSR to find the RP

Commands used in this example

This example uses CLI commands for the following configuration settings:

  • Adding a loopback interface (lo0)
  • Defining the multicast routing
  • Adding the NAT multicast policy

Adding a loopback interface

Where required, the following command is used to define a loopback interface named lo0.

config system interface

edit lo0

set vdom root

set ip 1.4.50.4 255.255.255.255

set allowaccess ping https ssh snmp http telnet

set type loopback

next

end

Defining the multicast routing

In this example, the following command syntax is used to define multicast routing.

The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

config router multicast

config interface

edit port6

set pim-mode sparse-mode

next

edit port1

set pim-mode sparse-mode

next

edit lo0

set pim-mode sparse-mode

set rp-candidate enable

config join-group

edit 236.1.1.1

next

end

set rp-candidate-priority 1

next

end

set multicast-routing enable

config pim-sm-global

set bsr-allow-quick-refresh enable

set bsr-candidate enable

set bsr-interface lo0

set bsr-priority 200

end

end

Adding the NAT multicast policy

In this example, the incoming multicast policy does the address translation.

The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group.

config firewall multicast-policy

edit 1

set dstintf port6

set srcintf lo0

next

edit 2

set dnat 238.1.1.1

set dstintf lo0

set nat 1.4.50.4

set srcintf port1

next

Configuration steps

In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh security policies to allow any to any.

  • In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to 237.1.1.1
  • In the FortiGate-500A_4 configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1
  • Source 236.1.1.1 is injected into network as well

The following procedures include the CLI commands for configuring each of the FortiGate devices in the example configuration.

To configure FortiGate-500A_1
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port5

    set pim-mode sparse-mode

    next

    edit port4

    set pim-mode sparse-mode

    next

    edit lan

    set pim-mode sparse-mode

    next

    edit port1

    set pim-mode sparse-mode

    next

    edit lo999

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    set rp-candidate-group 1

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-candidate enable

    set bsr-interface lo0

    end

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf port5

    set srcintf port4

    next

    edit 2

    set dstintf port4

    set srcintf port5

    next

    edit 3

    next

    end

  5. Add router access lists:
  6. config router access-list

    edit 1

    config rule

    edit 1

    set prefix 228.1.1.1 255.255.255.255

    set exact-match enable

    next

    edit 2

    set prefix 237.1.1.1 255.255.255.255

    set exact-match enable

    next

    edit 3

    set prefix 238.1.1.1 255.255.255.255

    set exact-match enable

    next

    end

    next

    end

To configure FortiGate-500A_2
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit "lan"

    set pim-mode sparse-mode

    next

    edit "port5"

    set pim-mode sparse-mode

    next

    edit "port2"

    set pim-mode sparse-mode

    next

    edit "port4"

    set pim-mode sparse-mode

    next

    edit "lo_5"

    set pim-mode sparse-mode

    config join-group

    edit 236.1.1.1

    next

    end

    next

    end

    set multicast-routing enable

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf lan

    set srcintf port5

    next

    edit 2

    set dstintf port5

    set srcintf lan

    next

    edit 4

    set dstintf lan

    set srcintf port2

    next

    edit 5

    set dstintf port2

    set srcintf lan

    next

    edit 7

    set dstintf port1

    set srcintf port2

    next

    edit 8

    set dstintf port2

    set srcintf port1

    next

    edit 9

    set dstintf port5

    set srcintf port2

    next

    edit 10

    set dstintf port2

    set srcintf port5

    next

    edit 11

    set dnat 237.1.1.1

    set dstintf lo_5

    set nat 5.5.5.5

    set srcintf port2

    next

    edit 12

    set dstintf lan

    set srcintf lo_5

    next

    edit 13

    set dstintf port1

    set srcintf lo_5

    next

    edit 14

    set dstintf port5

    set srcintf lo_5

    next

    edit 15

    set dstintf port2

    set srcintf lo_5

    next

    edit 16

    next

    end

To configure FortiGate-500A_3
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port5

    set pim-mode sparse-mode

    next

    edit port6

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    set rp-candidate-priority 255

    next

    edit lan

    set pim-mode sparse-mode

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-candidate enable

    set bsr-interface lo0

    end

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf port5

    set srcintf port6

    next

    edit 2

    set dstintf port6

    set srcintf port5

    next

    edit 3

    set dstintf port6

    set srcintf lan

    next

    edit 4

    set dstintf lan

    set srcintf port6

    next

    edit 5

    set dstintf port5

    set srcintf lan

    next

    edit 6

    set dstintf lan

    set srcintf port5

    next

    end

To configure FortiGate-500A_4
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port6

    set pim-mode sparse-mode

    next

    edit lan

    set pim-mode sparse-mode

    next

    edit port1

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    config join-group

    edit 236.1.1.1

    next

    end

    set rp-candidate-priority 1

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-allow-quick-refresh enable

    set bsr-candidate enable

    set bsr-interface lo0

    set bsr-priority 1

    end

    end

  3. Add multicast security policies:
  4. config firewall policy

    edit 1

    set srcintf lan

    set dstintf port6

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 2

    set srcintf port6

    set dstintf lan

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 3

    set srcintf port1

    set dstintf port6

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 4

    set srcintf port6

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 5

    set srcintf port1

    set dstintf lan

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 6

    set srcintf lan

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 7

    set srcintf port1

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 8

    set srcintf port6

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 9

    set srcintf port1

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 10

    set srcintf lan

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    end

Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A devices (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.

The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

This example describes:

  • Commands used in this example
  • Configuration steps
  • Example debug commands
PIM network topology using BSR to find the RP

Commands used in this example

This example uses CLI commands for the following configuration settings:

  • Adding a loopback interface (lo0)
  • Defining the multicast routing
  • Adding the NAT multicast policy

Adding a loopback interface

Where required, the following command is used to define a loopback interface named lo0.

config system interface

edit lo0

set vdom root

set ip 1.4.50.4 255.255.255.255

set allowaccess ping https ssh snmp http telnet

set type loopback

next

end

Defining the multicast routing

In this example, the following command syntax is used to define multicast routing.

The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

config router multicast

config interface

edit port6

set pim-mode sparse-mode

next

edit port1

set pim-mode sparse-mode

next

edit lo0

set pim-mode sparse-mode

set rp-candidate enable

config join-group

edit 236.1.1.1

next

end

set rp-candidate-priority 1

next

end

set multicast-routing enable

config pim-sm-global

set bsr-allow-quick-refresh enable

set bsr-candidate enable

set bsr-interface lo0

set bsr-priority 200

end

end

Adding the NAT multicast policy

In this example, the incoming multicast policy does the address translation.

The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group.

config firewall multicast-policy

edit 1

set dstintf port6

set srcintf lo0

next

edit 2

set dnat 238.1.1.1

set dstintf lo0

set nat 1.4.50.4

set srcintf port1

next

Configuration steps

In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh security policies to allow any to any.

  • In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to 237.1.1.1
  • In the FortiGate-500A_4 configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1
  • Source 236.1.1.1 is injected into network as well

The following procedures include the CLI commands for configuring each of the FortiGate devices in the example configuration.

To configure FortiGate-500A_1
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port5

    set pim-mode sparse-mode

    next

    edit port4

    set pim-mode sparse-mode

    next

    edit lan

    set pim-mode sparse-mode

    next

    edit port1

    set pim-mode sparse-mode

    next

    edit lo999

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    set rp-candidate-group 1

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-candidate enable

    set bsr-interface lo0

    end

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf port5

    set srcintf port4

    next

    edit 2

    set dstintf port4

    set srcintf port5

    next

    edit 3

    next

    end

  5. Add router access lists:
  6. config router access-list

    edit 1

    config rule

    edit 1

    set prefix 228.1.1.1 255.255.255.255

    set exact-match enable

    next

    edit 2

    set prefix 237.1.1.1 255.255.255.255

    set exact-match enable

    next

    edit 3

    set prefix 238.1.1.1 255.255.255.255

    set exact-match enable

    next

    end

    next

    end

To configure FortiGate-500A_2
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit "lan"

    set pim-mode sparse-mode

    next

    edit "port5"

    set pim-mode sparse-mode

    next

    edit "port2"

    set pim-mode sparse-mode

    next

    edit "port4"

    set pim-mode sparse-mode

    next

    edit "lo_5"

    set pim-mode sparse-mode

    config join-group

    edit 236.1.1.1

    next

    end

    next

    end

    set multicast-routing enable

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf lan

    set srcintf port5

    next

    edit 2

    set dstintf port5

    set srcintf lan

    next

    edit 4

    set dstintf lan

    set srcintf port2

    next

    edit 5

    set dstintf port2

    set srcintf lan

    next

    edit 7

    set dstintf port1

    set srcintf port2

    next

    edit 8

    set dstintf port2

    set srcintf port1

    next

    edit 9

    set dstintf port5

    set srcintf port2

    next

    edit 10

    set dstintf port2

    set srcintf port5

    next

    edit 11

    set dnat 237.1.1.1

    set dstintf lo_5

    set nat 5.5.5.5

    set srcintf port2

    next

    edit 12

    set dstintf lan

    set srcintf lo_5

    next

    edit 13

    set dstintf port1

    set srcintf lo_5

    next

    edit 14

    set dstintf port5

    set srcintf lo_5

    next

    edit 15

    set dstintf port2

    set srcintf lo_5

    next

    edit 16

    next

    end

To configure FortiGate-500A_3
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port5

    set pim-mode sparse-mode

    next

    edit port6

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    set rp-candidate-priority 255

    next

    edit lan

    set pim-mode sparse-mode

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-candidate enable

    set bsr-interface lo0

    end

    end

  3. Add multicast security policies:
  4. config firewall multicast-policy

    edit 1

    set dstintf port5

    set srcintf port6

    next

    edit 2

    set dstintf port6

    set srcintf port5

    next

    edit 3

    set dstintf port6

    set srcintf lan

    next

    edit 4

    set dstintf lan

    set srcintf port6

    next

    edit 5

    set dstintf port5

    set srcintf lan

    next

    edit 6

    set dstintf lan

    set srcintf port5

    next

    end

To configure FortiGate-500A_4
  1. Configure multicast routing:
  2. config router multicast

    config interface

    edit port6

    set pim-mode sparse-mode

    next

    edit lan

    set pim-mode sparse-mode

    next

    edit port1

    set pim-mode sparse-mode

    next

    edit lo0

    set pim-mode sparse-mode

    set rp-candidate enable

    config join-group

    edit 236.1.1.1

    next

    end

    set rp-candidate-priority 1

    next

    end

    set multicast-routing enable

    config pim-sm-global

    set bsr-allow-quick-refresh enable

    set bsr-candidate enable

    set bsr-interface lo0

    set bsr-priority 1

    end

    end

  3. Add multicast security policies:
  4. config firewall policy

    edit 1

    set srcintf lan

    set dstintf port6

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 2

    set srcintf port6

    set dstintf lan

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 3

    set srcintf port1

    set dstintf port6

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 4

    set srcintf port6

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 5

    set srcintf port1

    set dstintf lan

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 6

    set srcintf lan

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 7

    set srcintf port1

    set dstintf port1

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 8

    set srcintf port6

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 9

    set srcintf port1

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    edit 10

    set srcintf lan

    set dstintf lo0

    set srcaddr all

    set dstaddr all

    set action accept

    set schedule always

    set service ALL

    next

    end