Technical Tip: Using destination interface as 'any' on Multicast policy when FortiGate is acting only as a multicast forwarder
| Description | This article describes how the multicast policy should be configured when a FortiGate is acting as a multicast forwarder. |
| Scope | Any FortiGate firmware. |
| Solution | Consider the following diagram:
Based on the diagram, the multicast traffic will reach the FortiGate from the multicast server and will be distributed to clients. This is done using 'block intra-vlan traffic' on VLAN 100, as per the following config.
config system interface edit "Vlan100"
When the traffic reaches FortiGate, a multicast policy is been used to send the traffic to the ingress interface, which is VLAN 100 on FortiLink.
Based on this, the multicast policy should look like the following, where the source and destination interface are the same (VLAN100). However, the same interface is not supported as both source and destination:
config firewall multicast-policy
As a workaround, 'any' can be used for a destination interface such as the following: config firewall multicast-policy
Note 1: It was also observed that having a specific destination address does not allow traffic to flow. hence it is required to have 'all' as the destination address. Note 2: In future releases, this behavior may change. Note 3: Beware that this configuration will flood the multicast traffic received on VLAN100 to all active interfaces. This will result in wasting network bandwidth and resources because the traffic is flooded to interfaces where there are no listeners to the multicast traffic. The administrator may consider changing the behavior and allowing direct intra-VLAN traffic if multicast will be used. |
