Description
Solution
This article explains how to configure the FortiGate in order to send unicast and multicast traffic over different paths.
Solution
In the following diagram, unicast and multicast traffic are sent over different paths.
PIM relies on unicast routing to perform RPF lookup. Thus unicast routing must be configured to use the multicast path (10.10.4.0/24). Then, policy routing must be configured on R1 and R4 to override unicast routing and send unicast packets over the unicast path (10.1.4.0/24).
Here are the relevant parts of the configuration.
R1
The following static route is required to pass the unicast RPF check over unicast path. The route will be added to the routing table but not preferred as the priority is 100.
R4
The following static route is required to pass the unicast RPF check over unicast path. The route will be added to the routing table but not preferred as the priority is 100.
R1
R4
- A and B exchange unicast traffic over 10.1.4.0/24 subnet
- A also sends multicast traffic toward 239.1.4.1 over 10.10.4.0/24 subnet
- B also sends multicast traffic toward 239.1.1.1 over 10.10.4.0/24 subnet
PIM relies on unicast routing to perform RPF lookup. Thus unicast routing must be configured to use the multicast path (10.10.4.0/24). Then, policy routing must be configured on R1 and R4 to override unicast routing and send unicast packets over the unicast path (10.1.4.0/24).
Here are the relevant parts of the configuration.
R1
- Firewall policies to allow unicast traffic over unicast path
config firewall policy
edit 1
set uuid 4a8af6ca-435c-51e6-232e-80f93f9c3b72
set srcintf "port2"
set dstintf "r1_r4_1_0"
set srcaddr "10.0.0.10"
set dstaddr "10.4.0.10"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 90101ffc-4390-51e6-f326-694a2b3cf40e
set srcintf "r1_r4_1_0"
set dstintf "port2"
set srcaddr "10.4.0.10"
set dstaddr "10.0.0.10"
set action accept
set schedule "always"
set service "ALL"
next
end
- Multicast Firewall policies to allow multicast traffic over multicast path
config firewall multicast-policy
edit 1
set srcintf "r1_r4_2_0"
set dstintf "port2"
set srcaddr "10.4.0.10"
set dstaddr "239.1.1.1"
set protocol 17
set start-port 8910
set end-port 8910
next
edit 2
set srcintf "port2"
set dstintf "r1_r4_2_0"
set srcaddr "10.0.0.10"
set dstaddr "239.1.4.1"
set protocol 17
set start-port 8910
set end-port 8910
next
end
- Multicast routing configuration
config router multicast
set multicast-routing enable
config interface
edit "port2"
set pim-mode dense-mode
next
edit "r1_r4_2_0"
set pim-mode dense-mode
next
end
end
- Static routing configuration
config router static
edit 1
set dst 10.4.0.0 255.255.255.0
set gateway 10.10.4.4
set device "r1_r4_2_0"
next
The following static route is required to pass the unicast RPF check over unicast path. The route will be added to the routing table but not preferred as the priority is 100.
edit 2
set dst 10.4.0.0 255.255.255.0
set gateway 10.1.4.4
set priority 100
set device "r1_r4_1_0"
next
end
- Policy routing configuration to override unicast static routing
It allows to forward unicast traffic A ↔ B over unicast path regardless of the static routing configuration.
config router policy
edit 1
set src "10.0.0.0/255.255.255.0"
set dst "10.4.0.0/255.255.255.0"
set gateway 10.1.4.4
set output-device "r1_r4_1_0"
next
end
R4
- Firewall policies to allow unicast traffic over unicast path
config firewall policy
edit 1
set uuid 4acb8fb4-435c-51e6-232c-c9429903b6ad
set srcintf "r1_r4_1_1"
set dstintf "port4"
set srcaddr "10.0.0.10"
set dstaddr "10.4.0.10"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 49e81c3c-4390-51e6-0902-18d591f39ea6
set srcintf "port4"
set dstintf "r1_r4_1_1"
set srcaddr "10.4.0.10"
set dstaddr "10.0.0.10"
set action accept
set schedule "always"
set service "ALL"
next
end
- Multicast Firewall policies to allow multicast traffic over multicast path
config firewall multicast-policy
edit 1
set srcintf "port4"
set dstintf "r1_r4_2_1"
set srcaddr "10.4.0.10"
set dstaddr "239.1.1.1"
set protocol 17
set start-port 8910
set end-port 8910
next
edit 2
set srcintf "r1_r4_2_1"
set dstintf "port4"
set srcaddr "10.0.0.10"
set dstaddr "239.1.4.1"
set protocol 17
set start-port 8910
set end-port 8910
next
end
- Multicast routing configuration
config router multicast
set multicast-routing enable
config pim-sm-global
end
config interface
edit "port4"
set pim-mode dense-mode
next
edit "r1_r4_2_1"
set pim-mode dense-mode
next
end
end
- Static routing configuration
config router static
edit 1
set dst 10.0.0.0 255.255.255.0
set gateway 10.10.4.1
set device "r1_r4_2_1"
next
The following static route is required to pass the unicast RPF check over unicast path. The route will be added to the routing table but not preferred as the priority is 100.
edit 2
set dst 10.0.0.0 255.255.255.0
set gateway 10.1.4.1
set priority 100
set device "r1_r4_1_1"
next
end
- Policy routing configuration to override unicast static routing
It allows to forward unicast traffic A ↔ B over unicast path regardless of the static routing configuration.
FGT_1 (R4) # sh router policy
config router policy
edit 1
set src "10.4.0.0/255.255.255.0"
set dst "10.0.0.0/255.255.255.0"
set gateway 10.1.4.1
set output-device "r1_r4_1_1"
next
end
R1
- Multicast routing table 239.1.1.1
R1 # get router info multicast pim dense-mode table 239.1.1.1
PIM-DM Multicast Routing Table
(10.4.0.10, 239.1.1.1)
RPF Neighbor: 10.10.4.4, Nexthop: 10.10.4.4, r1_r4_2_0
Upstream IF: r1_r4_2_0
Upstream State: Forwarding
Assert State: NoInfo
Downstream IF List:
port2, in 'olist':
Downstream State: NoInfo
Assert State: NoInfo
- Multicast routing table 239.1.4.1
R1 # get router info multicast pim dense-mode table 239.1.4.1
PIM-DM Multicast Routing Table
(10.0.0.10, 239.1.4.1)
Source directly connected on port2
State-Refresh Originator State: Originator
Upstream IF: port2
Upstream State: Forwarding
Assert State: NoInfo
Downstream IF List:
r1_r4_2_0, in 'olist':
Downstream State: NoInfo
Assert State: NoInfo
- Unicast traceroute from A to B
Tracing route to 10.4.0.10 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.0.1
2 <1 ms <1 ms <1 ms 10.1.4.4
3 <1 ms <1 ms <1 ms 10.4.0.10
Trace complete.
R4
- Multicast routing table 239.1.1.1
R4 # get router info multicast pim dense-mode table 239.1.1.1
PIM-DM Multicast Routing Table
(10.4.0.10, 239.1.1.1)
Source directly connected on port4
State-Refresh Originator State: Originator
Upstream IF: port4
Upstream State: Forwarding
Assert State: NoInfo
Downstream IF List:
r1_r4_2_1, in 'olist':
Downstream State: NoInfo
Assert State: NoInfo
- Multicast routing table 239.1.4.1
R4 # get router info multicast pim dense-mode table 239.1.4.1
PIM-DM Multicast Routing Table
(10.0.0.10, 239.1.4.1)
RPF Neighbor: 10.10.4.1, Nexthop: 10.10.4.1, r1_r4_2_1
Upstream IF: r1_r4_2_1
Upstream State: Forwarding
Assert State: Loser
Downstream IF List:
port4, in 'olist':
Downstream State: NoInfo
Assert State: NoInfo
- Unicast traceroute from B to A
Tracing route to 10.0.0.10 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.4.0.4
2 <1 ms <1 ms <1 ms 10.1.4.1
3 10 ms <1 ms <1 ms 10.0.0.10
Trace complete.
