|
The following article will rely on the below network diagram:
Objective: Interface port3 on the LHR (last hop router) to receive the multicast stream 232.1.1.2.
OSPF is set up between all routers in the area backbone. The OSPF process has converged and the connectivity is OK.
PIM Sparse mode is enabled between LHR and RTR (router) and RTR and FHR (first-hop router).
PIM SM neighbors are established.
A firewall multicast policy is set on each FortiGate to allow the traffic from source 10.163.11.196 to 232.1.1.2.
As a reminder, SSM (Source Specified Multicast) has the following characteristics:
- The group is in range 232.0.0.0/8.
- The receiver must add the requested source for the requested multicast group (S, G).
- There is no need for Rendez Vous point as the receiver should know the source of the stream in the first place.
- The unicast route must be known toward the source of the stream.
PIM check command:
LHR # get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
10.141.13.231 port2 21:25:22/00:01:23 v2 1 / DR
RTR # get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
10.141.13.223 port2 21:28:40/00:01:25 v2 1 /
10.143.13.242 port3 21:28:45/00:01:30 v2 1 / DR
FHR # get router info multicast pim sparse-mode neighbour
Neighbor Interface Uptime/Expires Ver DR
Address Priority/Mode
10.143.13.231 port3 01d04h24m/00:01:22 v2 1 /
Source registration at FHR:
The source must be known by the first hop router. The stream is received on port2 which is expected.
FHR # get router info multicast table 232.1.1.2
IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.163.11.196, 232.1.1.2), uptime 01:21:24
Owner PIM-SM, Flags: F
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)
The routing table has to be populated:
The source of the stream 232.1.1.2 is properly known by all routers within the SSM network.
LHR # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.63.254, port1, [1/0]
C 10.5.48.0/20 is directly connected, port1
C 10.96.0.0/20 is directly connected, port3
C 10.141.0.0/20 is directly connected, port2
O 10.143.0.0/20 [110/2] via 10.141.13.231, port2, 21:32:49, [1/0]
O 10.163.0.0/20 [110/3] via 10.141.13.231, port2, 21:32:49, [1/0]
RTR # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.63.254, port1, [1/0]
C 10.5.48.0/20 is directly connected, port1
O 10.96.0.0/20 [110/2] via 10.141.13.223, port2, 21:34:04, [1/0]
C 10.141.0.0/20 is directly connected, port2
C 10.143.0.0/20 is directly connected, port3
O 10.163.0.0/20 [110/2] via 10.143.13.242, port3, 21:36:32, [1/0]
LHR # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.5.63.254, port1, [1/0]
C 10.5.48.0/20 is directly connected, port1
C 10.96.0.0/20 is directly connected, port3
C 10.141.0.0/20 is directly connected, port2
O 10.143.0.0/20 [110/2] via 10.141.13.231, port2, 21:32:49, [1/0]
O 10.163.0.0/20 [110/3] via 10.141.13.231, port2, 21:32:49, [1/0]
Router Multicast SSM config:
The multicast config for SSM is the same everywhere except for the last hop router.
LHR has to be aware of the source 10.163.11.196 for group 232.1.1.2 in a multicast flow.
Then this multicast-flow is set up on the interface configuration via set multicast-flow and set static-group.
FHR # show router multicast
config router multicast
set multicast-routing enable
config pim-sm-global
set ssm enable
end
config interface
edit "port2"
set pim-mode sparse-mode
set passive enable
next
edit "port3"
set pim-mode sparse-mode
next
end
end
RTR # show router multicast
config router multicast
set multicast-routing enable
config pim-sm-global
set ssm enable
end
config interface
edit "port2"
set pim-mode sparse-mode
next
edit "port3"
set pim-mode sparse-mode
next
end
end
LHR # show router multicast
config router multicast
set multicast-routing enable
config pim-sm-global
set ssm enable
end
config interface
edit "port2"
set pim-mode sparse-mode
next
edit "port3"
set pim-mode sparse-mode
set passive enable
set multicast-flow "lab"
set static-group "lab"
next
end
end
LHR # show router multicast-flow
config router multicast-flow
edit "lab"
config flows
edit 1
set group-addr 232.1.1.2
set source-addr 10.163.11.196
next
end
next
end
Firewall multicast policy config:
All FortiGate devices will share the same objects. Then each FortiGate will have a specific multicast policy depending on their interfaces.
config firewall multicast-address
edit "lab"
set start-ip 232.1.1.0
set end-ip 232.1.1.255
next
end
config firewall address
edit "lab-src"
set subnet 10.163.11.196 255.255.255.255
next
end
FHR # show firewall multicast-policy
config firewall multicast-policy
edit 1
set srcintf "port2"
set dstintf "port3"
set srcaddr "lab-src"
set dstaddr "lab"
next
end
RTR # show firewall multicast-policy
config firewall multicast-policy
edit 1
set srcintf "port3"
set dstintf "port2"
set srcaddr "lab-src"
set dstaddr "lab"
next
end
Stream traffic:
Traffic can be streamed out from the source with an iperf command:
root@sender# iperf -u -c 232.1.1.2 -b 20m -t 2400 -T20
Check multicast traffic on the FortiGate devices:
On FHR, the stream is received (incoming) on port2 and forwarded (outgoing) on port3. This is expected.
FHR # get router info multicast table
IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.163.11.196, 232.1.1.2), uptime 01:48:50
Owner PIM-SM, Flags: F
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)
On RTR, the stream is received (incoming) on port3 and forwarded (outgoing) on port2. This is expected.
RTR # get router info multicast table
IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.163.11.196, 232.1.1.2), uptime 01:47:34
Owner PIM-SM, Flags: F
Incoming interface: port3
Outgoing interface list:
port2 (TTL threshold 1)
On RTR, the stream is received (incoming) on port2 and forwarded (outgoing) on port3. This is expected.
LHR # get router info multicast table
IP Multicast Routing Table
Flags: I - Immediate Stat, T - Timed Stat, F - Forwarder installed
Timers: Uptime/Stat Expiry
Interface State: Interface (TTL threshold)
(10.163.11.196, 232.1.1.2), uptime 01:48:51
Owner PIM-SM, Flags: F
Incoming interface: port2
Outgoing interface list:
port3 (TTL threshold 1)
Packet capture can be done also on port3 to verify that the stream is properly received.
LHR # diagnose sniffer packet port3 'host 232.1.1.2' 4 8 l
Using Original Sniffing Mode
interfaces=[port3]
filters=[host 232.1.1.2]
2024-06-07 06:08:55.095113 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.095839 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.096454 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.096824 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.097596 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.098036 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.098683 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
2024-06-07 06:08:55.099074 port3 -- 10.163.11.196.58328 -> 232.1.1.2.5001: udp 1470
Eventually, IGMP information could be displayed showing that FortiGate is keen to receive the stream 232.1.1.2.
LHR # get router info multicast igmp groups 232.1.1.2
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
232.1.1.2 port3 21:44:45 stopped(static) 0.0.0.0
|
