Technical Tip: Multicast routing using GENEVE interfaces in a Hybrid Cloud where multicast is not supported

Description

This article demonstrates how to enable multicast routing in a hybrid cloud environment that lacks native multicast support on the cloud side, using GENEVE interfaces. The Cloud FortiGate uses GENEVE interfaces to encapsulate multicast traffic as unicast packets, bypassing cloud infrastructure limitations. 

The SD-WAN overlay provides secure and redundant transport by grouping multiple IPsec tunnels into a single logical zone to connect the on-premises environment with the public cloud.

Scope

FortiOS v7.6.1+.

Solution

In this example, the on-premises subnet 172.16.0.0/24 includes hosts that listen to multicast group 239.1.1.2 and transmit on 239.1.1.1. The cloud VMs listen to multicast group 239.1.1.1 and transmit on 239.1.1.2. To enable this communication, a GENEVE interface must be configured on the FortiGate for each cloud VM. Additional configuration may be required on the cloud VM side to ensure proper multicast handling.

1. Configure the LAN interface and create a loopback interface to serve as the Multicast Rendezvous Point (RP).

On-prem FortiGate:

config system interface
    edit "port3"
        set ip 172.16.0.254 255.255.255.0
    next
    edit "loopback.router"
        set vdom "root"
        set ip 192.168.0.1 255.255.255.255
        set allowaccess ping
        set type loopback
    next
end

Cloud FortiGate:

config system interface
    edit "port2"
        set ip 172.32.1.4 255.255.255.0
    next
    edit "loopback.router"
        set vdom "root"
        set ip 192.168.0.2 255.255.255.255 <- Used for PIM and GENEVE.
        set allowaccess ping
        set type loopback
    next
end

2. Configure the GENEVE interfaces on the Cloud FortiGate and group them in one zone.

Cloud FortiGate:

config system geneve
    edit "mc.001"
        set interface "loopback.router"
        set vni 5001
        set remote-ip 172.32.1.5 <- VM NIC IP.
    next
    edit "mc.002"
        set interface "loopback.router"
        set vni 5001
        set remote-ip 172.32.1.6
    next
end

config system interface
    edit "mc.001"
        set ip 172.32.2.1 255.255.255.252
        set allowaccess ping
    next
    edit "mc.002"
        set ip 172.32.2.5 255.255.255.252
        set allowaccess ping
    next
end

config system zone
    edit "mc.zone"
        set interface "mc.001" "mc.002"
    next
end

3. Configure the IPsec tunnel interfaces and assign point-to-point IP addresses.

On-prem FortiGate:

config vpn ipsec phase1-interface
    edit "tunnel.1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set exchange-interface-ip enable
        set exchange-ip-addr4 192.168.0.1
        set proposal aes256-sha256
        set localid "FGT-On-prem FortiGate"
        set dhgrp 21
        set network-overlay enable
        set network-id 1
        set transport udp
        set remote-gw 203.0.113.1
        set psksecret *****
    next
    edit "tunnel.2"
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device enable
        set exchange-interface-ip enable
        set exchange-ip-addr4 192.168.0.1
        set proposal aes256-sha256
        set localid "FGT-On-prem FortiGate"
        set dhgrp 21
        set network-overlay enable
        set network-id 2
        set transport udp
        set remote-gw 203.0.113.1
        set psksecret *****
    next
end

config vpn ipsec phase2-interface
    edit "tunnel.1"
        set phase1name "tunnel.1"
        set proposal aes256-sha256
        set dhgrp 21
    next
    edit "tunnel.2"
        set phase1name "tunnel.2"
        set proposal aes256-sha256
        set dhgrp 21
    next
end

config system interface
    edit "tunnel.1"
        set vdom "root"
        set ip 169.254.0.1 255.255.255.255
        set allowaccess ping
        set remote-ip 169.254.0.2 255.255.255.255
    next
    edit "tunnel.2"
        set vdom "root"
        set ip 169.254.0.3 255.255.255.255
        set allowaccess ping
        set remote-ip 169.254.0.4 255.255.255.255
    next
end

Cloud FortiGate:

config vpn ipsec phase1-interface
    edit "tunnel.1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set exchange-interface-ip enable
        set exchange-ip-addr4 192.168.0.2
        set proposal aes256-sha256
        set localid "FGT-AZ"
        set dhgrp 21
        set network-overlay enable
        set network-id 1
        set transport udp
        set remote-gw 192.0.2.1
        set psksecret *****
    next
    edit "tunnel.2"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device enable
        set exchange-interface-ip enable
        set exchange-ip-addr4 192.168.0.2
        set proposal aes256-sha256
        set localid "FGT-on-prem"
        set dhgrp 21
        set network-overlay enable
        set network-id 2
        set transport udp
        set remote-gw 198.51.100.1
        set psksecret *****
    next
end

config vpn ipsec phase2-interface
    edit "tunnel.1"
        set phase1name "tunnel.1"
        set proposal aes256-sha256
        set dhgrp 21
    next
    edit "tunnel.2"
        set phase1name "tunnel.2"
        set proposal aes256-sha256
        set dhgrp 21
    next
end

config system interface
    edit "tunnel.1"
        set vdom "root"
        set ip 169.254.0.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.0.1 255.255.255.255
    next
    edit "tunnel.2"
        set vdom "root"
        set ip 169.254.0.4 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.0.3 255.255.255.255
    next
end

4. Configure the SD-WAN settings to group the tunnels into a single zone. Define an SLA-based service rule that prioritizes PIM protocol traffic across the healthiest available link in the overlay zone. This rule will determine which tunnel is used to send the PIM register messages.

On-prem FortiGate:

config system sdwan
    set status enable
    config zone
        edit "OL_1"
        next
    end
    config members
        edit 3
            set interface "tunnel.1"
            set zone "OL_1"
            set source 192.168.0.1
        next
        edit 4
            set interface "tunnel.2"
            set zone "OL_1"
            set source 192.168.0.1
        next
    end
    config health-check
        edit "FGT_AZ_ICMP"
            set server "192.168.0.2"
            set members 3 4
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set mode sla
            set protocol 103
            set dst "all"
            config sla
                edit "FGT_AZ_ICMP"
                    set id 1
                next
            end
            set priority-zone "OL_1"
            set use-shortcut-sla disable
            set shortcut disable
        next
    end
end

Cloud FortiGate:

config system sdwan
    set status enable
    config zone
        edit "OL_1"
        next
    end
    config members
        edit 3
            set interface "tunnel.1"
            set zone "OL_1"
            set source 192.168.0.2
        next
        edit 4
            set interface "tunnel.2"
            set zone "OL_1"
            set source 192.168.0.2
        next
    end
    config health-check
        edit "FGT_on_prem_ICMP"
            set server "192.168.0.1"
            set members 3 4
            config sla
                edit 1
                next
            end
        next
    end
    config service
        edit 1
            set mode sla
            set protocol 103
            set dst "all"
            config sla
                edit "FGT_on_prem_ICMP"
                    set id 1
                next
            end
            set priority-zone "OL_1"
            set use-shortcut-sla disable
            set shortcut disable
        next
    end
end

5. Create a firewall policy to permit control plane traffic.

On-prem and Cloud FortiGates:

config firewall service custom
    edit "PIM"
        set protocol IP
        set protocol-number 103
    next
end

On-prem FortiGate:

config firewall policy
    edit 1
        set name "OL_1_Routing"
        set srcintf "OL_1"
        set dstintf "loopback.router"
        set action accept
        set srcaddr "192.168.0.2/32"
        set dstaddr "192.168.0.1/32"
        set schedule "always"
        set service "PING" "PIM"
    next
end

Cloud FortiGate:

config firewall policy
    edit 1
        set name "OL_1_Routing"
        set srcintf "OL_1"
        set dstintf "loopback.router"
        set action accept
        set srcaddr "192.168.0.1/32"
        set dstaddr "192.168.0.2/32"
        set schedule "always"
        set service "PING" "PIM"
    next
end

6. Enable multicast routing and configure PIM in Sparse Mode. A Rendezvous Point (RP) for each group is configured closer to its source.

On-prem and Cloud FortiGates:

config router access-list
    edit "MC-239.1.1.1"
        config rule
            edit 1
                set prefix 239.1.1.1 255.255.255.255
            next
        end
    next
    edit "MC-239.1.1.2"
        config rule
            edit 1
                set prefix 239.1.1.2 255.255.255.255
            next
        end
    next
end

On-prem FortiGate:

config router multicast
    set multicast-routing enable
    config pim-sm-global
        set register-source ip-address
        set pim-use-sdwan enable
        config rp-address
            edit 1
                set ip-address 192.168.0.1
                set group "MC-239.1.1.1"
            next
            edit 2
                set ip-address 192.168.0.2
                set group "MC-239.1.1.2"
            next
        end
    end
    config interface
        edit "tunnel.1"
            set pim-mode sparse-mode
        next
        edit "tunnel.2"
            set pim-mode sparse-mode
        next
        edit "port3"
            set pim-mode sparse-mode
            set passive enable
        next
    end
end

Cloud FortiGate:

config router multicast
    set multicast-routing enable
    config pim-sm-global
        set register-source ip-address
        set pim-use-sdwan enable
        config rp-address
            edit 1
                set ip-address 192.168.0.1
                set group "MC-239.1.1.1"
            next
            edit 2
                set ip-address 192.168.0.2
                set group "MC-239.1.1.2"
            next
        end
    end
    config interface
        edit "tunnel.1"
            set pim-mode sparse-mode
        next
        edit "tunnel.2"
            set pim-mode sparse-mode
        next
        edit "mc.001"
            set pim-mode sparse-mode
            set passive enable
        next
        edit "mc.002"
            set pim-mode sparse-mode
            set passive enable
        next
    end
end

7. Configure the multicast policies. (For v7.6.0 and older, there is no support for selecting zones in multicast policies).

On-prem and Cloud FortiGates:

config firewall multicast-address
    edit "MC-239.1.1.1"
        set start-ip 239.1.1.1
        set end-ip 239.1.1.1
    next
    edit "MC-239.1.1.2"
        set start-ip 239.1.1.2
        set end-ip 239.1.1.2
    next
end

On-prem FortiGate:

config firewall multicast-policy
    edit 1
        set name "On-prem_to_239.1.1.1"
        set srcintf "port3"
        set dstintf "OL_1"
        set srcaddr "all"
    set dstaddr "MC-239.1.1.1"
    next
    edit 2
        set name "Cloud_to_239.1.1.2"
        set srcintf "OL_1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "MC-239.1.1.2"
    next
end

Cloud FortiGate:

config firewall multicast-policy
    edit 1
        set name "On-prem_to_239.1.1.1"
        set srcintf "OL_1"
        set dstintf "mc.zone"
        set srcaddr "all"
        set dstaddr "MC-239.1.1.1"
    next
    edit 2
        set name "Cloud_to_239.1.1.2"
        set srcintf "mc.zone"
        set dstintf "OL_1"
        set srcaddr "all"
        set dstaddr "MC-239.1.1.2"
    next
end