Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wdeloraine_FTNT
Staff
Staff

Created on ‎06-18-2024 12:32 AM Edited on ‎06-18-2024 12:48 AM By Community Manager

Article Id 320892

Technical Tip: How to receive a multicast stream with a (*,g) IGMP v2 report in a SSM network

Description This article describes how to setup the FortiGate to help IGMPv2 report getting Multicast stream in a SSM network.
Scope FortiGate v7.4.4 +.
Solution

Diagram:

 

mcast-star-igmp-join.png

 

Objective:

The Querier will receive the 232.1.1.2 stream with an IGMP v2 report using Source Specified Multicast.

 

Details of the topology and a reminder SSM could be found here https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-FortiGate-interface-as-Querier-...

 

In this case, the receiver can only send (*,G) IGMPv2 report. FortiGate has to be configured to add the source of the stream upon request.


All config and checks can be found in this article:

Technical Tip: How to use FortiGate interface as Querier for a multicast group in SSM network

 

Differences in configuration are listed here:

 

Router Multicast SSM config:

The multicast config for SSM is the same everywhere except for the last hop router. The LHR has to be aware of the source 10.163.11.196 for group 232.1.1.2 in a multicast flow. This multicast-flow is set up on the interface configuration via set multicast-flow. The interface facing the receiver must be listening in IGMPv2.

 

LHR # show router multicast
config router multicast
    set multicast-routing enable
        config pim-sm-global
            set ssm enable
        end
        config interface
            edit "port2"
                set pim-mode sparse-mode
            next
                          edit "port3"
                                 set pim-mode sparse-mode
                                 set passive enable
                                 set multicast-flow "lab"
                                 config igmp
                                         set version 2
                                 end
                          next
                  end

end

 

The following configuration in multicast flow will make sure the FortiGate will select 10.163.11.196 as the source of the group 232.1.1.2.

 

LHR # show router multicast-flow
config router multicast-flow
    edit "lab"
        config flows
            edit 1
                set group-addr 232.1.1.2
                set source-addr 10.163.11.196
            next
        end
    next
end

 

Stream traffic:

Traffic can be streamed out from the source with an IPerf command:

root@sender# iperf -u -c 232.1.1.2 -b 10m -t 240 -T50

 

Receive traffic:

The mcjoin tool can be used to receive traffic on host 10.96.11.197. It can be found here https://github.com/troglobit/mcjoin

Use this command to request the 232.1.1.2 stream:

 

mcjoin 232.1.1.2

 

mcjoing-star.png

 

To check multicast traffic on the FortiGate devices:

First Hop Router, Intermediate Router, and Last Hop Router should display multicast route similar to this:

 

FHR # get router info multicast table

IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)

(10.163.11.196, 232.1.1.2), uptime 00:05:15, stat expires 00:02:27
Owner PIM-SM, Flags: TF
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)

 

RTR # get router info multicast table

IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)

(10.163.11.196, 232.1.1.2), uptime 00:06:42, stat expires 00:02:24
Owner PIM-SM, Flags: TF
Incoming interface: port3
Outgoing interface list:
port2 (TTL threshold 1)

 

LHR # get router info multicast table

IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)

(10.163.11.196, 232.1.1.2), uptime 00:08:32, stat expires 00:02:58
Owner PIM-SM, Flags: TF
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)

 

 

The packet capture can also be done on receiver eth0 to verify that the stream is properly received.

 

tcpdump-star.png

 

Eventually, IGMP information could be displayed showing that FortiGate is ready to receive the stream 232.1.1.2 reported by 10.96.11.197.

 

LHR # get router info multicast igmp groups 232.1.1.2
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
232.1.1.2 port3 00:12:46 00:02:16 10.96.11.197

 

 

The packet capture can also be done for IGMP traffic at the Last Hop Router:

 

diagnose sniffer packet port3 'igmp' 6 0 l

 

It will display the request for group 232.1.1.2.

 

igmp-out.png

 

PIM join packet can be seen on RTR with the source IP for the stream. The LHR has added the information thanks to the multicast flow configuration.

 

pim-join-out.png
619
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.