|
With the introduction of the 'pim-use-sdwan' option, FortiGate can leverage SD-WAN for PIM (Protocol Independent Multicast) operations, including the verification of RP (Rendezvous Point) neighbors and the transmission of multicast packets. SD-WAN rules can now steer multicast traffic.
When an SD-WAN member is out of SLA, multicast traffic can fail over to another SD-WAN member, and switch back when SLA recovers.
CLI Configuration:
config router multicast
set multicast-routing enable
config pim-sm-global
set pim-use-sdwan enable
config rp-address
edit 1
set ip-address 172.17.0.1
next
end
end
config interface
edit "port1"
set pim-mode sparse-mode
config igmp
set version 2
end
set dr-priority 2
next
edit "vpn1"
set pim-mode sparse-mode
config igmp
set version 2
end
set dr-priority 2
next
end
end
In specific scenarios, particularly when multiple SD-WAN zones exist on the FortiGate with Internet circuits as members of 'Internet SD-WAN Zone' and VPN tunnels as members of 'VPN SD-WAN Zone', there is a possibility that Multicast PIM traffic may be routed incorrectly via the Internet circuits instead of the intended VPN tunnels.
This is primarily because the SD-WAN rules prioritizing Internet-bound traffic are at the top of the rule sequence.
As a result, when a Multicast client requests a multicast stream through IGMP JOIN, FortiGate will refrain from transmitting the PIM JOIN as dictated by the SDWAN rule because there is no PIM neighborship established over the interfaces of Internet SD-WAN zone.
FGT-BurnabyDot9 (root) # di ip router pim-sm all enable
Debug messages will be on for 30 minutes.
FGT-BurnabyDot9 (root) # diagnose ip router pim-sm level info
Debug messages will be on for 30 minutes.
FGT-BurnabyDot9 (root) # di de enable
Solution:
Set up an SD-WAN rule with the following parameters:
On GUI, go to Network -> SDWAN -> SDWAN Rules.
Source Subnet: 'all, (Note: Source Subnet must be designated as 'all' and cannot be set to any specific subnet).
Destination Subnet: '172.17.0.1/32' (RP IP Address).
Protocol: '103' (PIM).
Members: VPN Tunnel Interfaces, since the PIM neighborship and RP is across the IPSec VPN Tunnels.
And ensure to position it at the top of the SD-WAN rule list.
CLI Configuration:
config system sdwan
set status enable
config zone
edit "Internet-sdwan"
next
edit "vpn-sdwan"
next
end
config members
edit 1
set interface "wan1"
set zone "Internet-sdwan"
set gateway 172.218.187.112
next
edit 2
set interface "wan2"
set zone "Internet-sdwan"
set gateway 208.91.115.10
next
edit 3
set interface "vpn1"
set zone "vpn-sdwan"
next
edit 4
set interface "vpn2"
set zone "vpn-sdwan"
next
end
config service
edit 3 <----- Place Multicast SD-WAN Rule on the Top of the Sequence.
set name "Multicast-SDWAN"
set protocol 103
set dst "172.17.0.1/32"
set src "all"
set priority-members 3 4 (VPN Tunnel Interfaces)
set priority-zone "vpn-sdwan"
next
edit 2
set name "LANtoVPN"
set dst "10.10.76.3/32" "10.10.77.0/24" "10.10.78.0/24"
set src "10.10.9.0/24"
set priority-members 3 4
set priority-zone "vpn-sdwan"
next
edit 1
set name "LANtoWAN"
set mode priority
set dst "all"
set src "all"
set health-check "google.com"
set link-cost-factor packet-loss
set priority-members 1 2
set priority-zone "dot9-sdwan"
next
end
end
|
