router multicast
A FortiGate can operate as a Protocol Independent Multicast (PIM) version 2 router. FortiOS supports PIM sparse mode (RFC 4601) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.
You can configure a FortiGate unit to support PIM using the config router multicast CLI command. When PIM is enabled, the FortiGate unit allocates memory to manage mapping information. The FortiGate unit communicates with neighboring PIM routers to acquire mapping information and if required, processes the multicast traffic associated with specific multicast groups.
Multicast routing is not supported in Transparent mode. |
To configure a PIM domain:
- If you will be using sparse mode, determine appropriate paths for multicast packets.
- Make a note of the interfaces that will be PIM-enabled. These interfaces may run a unicast routing protocol.
- If you will be using sparse mode and want multicast packets to be handled by specific (static) RPs, record the IP addresses of the PIM-enabled interfaces on those RPs.
- Enable PIM version 2 on all participating routers between the source and receivers. Use the
config router multicast
command to set global operating parameters. - Configure the PIM routers that have good connections throughout the PIM domain to be candidate BSRs.
- If sparse mode is enabled, configure one or more of the PIM routers to be candidate RPs.
- If required, adjust the default settings of PIM-enabled interface(s).
To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To enable source-to-destination packet delivery, either sparse mode or dense mode must be enabled on the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate is located between a source and a PIM router, two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination. |
config router multicast set route-threshold {integer} Generate warnings when the number of multicast routes exceeds this number, must not be greater than route-limit. range[1-2147483647] set route-limit {integer} Maximum number of multicast routes. range[1-2147483647] set multicast-routing {enable | disable} Enable/disable IP multicast routing. config pim-sm-global set message-interval {integer} Period of time between sending periodic PIM join/prune messages in seconds (1 - 65535, default = 60). range[1-65535] set join-prune-holdtime {integer} Join/prune holdtime (1 - 65535, default = 210). range[1-65535] set accept-register-list {string} Sources allowed to register packets with this Rendezvous Point (RP). size[35] - datasource(s): router.access-list.name set accept-source-list {string} Sources allowed to send multicast traffic. size[35] - datasource(s): router.access-list.name set bsr-candidate {enable | disable} Enable/disable allowing this router to become a bootstrap router (BSR). set bsr-interface {string} Interface to advertise as candidate BSR. size[15] - datasource(s): system.interface.name set bsr-priority {integer} BSR priority (0 - 255, default = 0). range[0-255] set bsr-hash {integer} BSR hash length (0 - 32, default = 10). range[0-32] set bsr-allow-quick-refresh {enable | disable} Enable/disable accept BSR quick refresh packets from neighbors. set cisco-register-checksum {enable | disable} Checksum entire register packet(for old Cisco IOS compatibility). set cisco-register-checksum-group {string} Cisco register checksum only these groups. size[35] - datasource(s): router.access-list.name set cisco-crp-prefix {enable | disable} Enable/disable making candidate RP compatible with old Cisco IOS. set cisco-ignore-rp-set-priority {enable | disable} Use only hash for RP selection (compatibility with old Cisco IOS). set register-rp-reachability {enable | disable} Enable/disable check RP is reachable before registering packets. set register-source {disable | interface | ip-address} Override source address in register packets. disable Use source address of RPF interface. interface Use primary IP of an interface. ip-address Use a local IP address. set register-source-interface {string} Override with primary interface address. size[15] - datasource(s): system.interface.name set register-source-ip {ipv4 address} Override with local IP address. set register-supression {integer} Period of time to honor register-stop message (1 - 65535 sec, default = 60). range[1-65535] set null-register-retries {integer} Maximum retries of null register (1 - 20, default = 1). range[1-20] set rp-register-keepalive {integer} Timeout for RP receiving data on (S,G) tree (1 - 65535 sec, default = 185). range[1-65535] set spt-threshold {enable | disable} Enable/disable switching to source specific trees. set spt-threshold-group {string} Groups allowed to switch to source tree. size[35] - datasource(s): router.access-list.name set ssm {enable | disable} Enable/disable source specific multicast. set ssm-range {string} Groups allowed to source specific multicast. size[35] - datasource(s): router.access-list.name set register-rate-limit {integer} Limit of packets/sec per source registered through this RP (0 - 65535, default = 0 which means unlimited). range[0-65535] config rp-address edit {id} # Statically configure RP addresses. set id {integer} ID. range[0-4294967295] set ip-address {ipv4 address} RP router address. set group {string} Groups to use this RP. size[35] - datasource(s): router.access-list.name next config interface edit {name} # PIM interfaces. set name {string} Interface name. size[15] - datasource(s): system.interface.name set ttl-threshold {integer} Minimum TTL of multicast packets that will be forwarded (applied only to new multicast routes) (1 - 255, default = 1). range[1-255] set pim-mode {sparse-mode | dense-mode} PIM operation mode. sparse-mode sparse-mode dense-mode dense-mode set passive {enable | disable} Enable/disable listening to IGMP but not participating in PIM. set bfd {enable | disable} Enable/disable Protocol Independent Multicast (PIM) Bidirectional Forwarding Detection (BFD). set neighbour-filter {string} Routers acknowledged as neighbor routers. size[35] - datasource(s): router.access-list.name set hello-interval {integer} Interval between sending PIM hello messages (0 - 65535 sec, default = 30). range[1-65535] set hello-holdtime {integer} Time before old neighbor information expires (0 - 65535 sec, default = 105). range[1-65535] set cisco-exclude-genid {enable | disable} Exclude GenID from hello packets (compatibility with old Cisco IOS). set dr-priority {integer} DR election priority. range[1-4294967295] set propagation-delay {integer} Delay flooding packets on this interface (100 - 5000 msec, default = 500). range[100-5000] set state-refresh-interval {integer} Interval between sending state-refresh packets (1 - 100 sec, default = 60). range[1-100] set rp-candidate {enable | disable} Enable/disable compete to become RP in elections. set rp-candidate-group {string} Multicast groups managed by this RP. size[35] - datasource(s): router.access-list.name set rp-candidate-priority {integer} Router's priority as RP. range[0-255] set rp-candidate-interval {integer} RP candidate advertisement interval (1 - 16383 sec, default = 60). range[1-16383] set multicast-flow {string} Acceptable source for multicast group. size[35] - datasource(s): router.multicast-flow.name set static-group {string} Statically set multicast groups to forward out. size[35] - datasource(s): router.multicast-flow.name config join-group edit {address} # Join multicast groups. set address {ipv4 address any} Multicast group IP address. next config igmp set access-group {string} Groups IGMP hosts are allowed to join. size[35] - datasource(s): router.access-list.name set version {3 | 2 | 1} Maximum version of IGMP to support. 3 Version 3 and lower. 2 Version 2 and lower. 1 Version 1. set immediate-leave-group {string} Groups to drop membership for immediately after receiving IGMPv2 leave. size[35] - datasource(s): router.access-list.name set last-member-query-interval {integer} Timeout between IGMPv2 leave and removing group (1 - 65535 msec, default = 1000). range[1-65535] set last-member-query-count {integer} Number of group specific queries before removing group (2 - 7, default = 2). range[2-7] set query-max-response-time {integer} Maximum time to wait for a IGMP query response (1 - 25 sec, default = 10). range[1-25] set query-interval {integer} Interval between queries to IGMP hosts (1 - 65535 sec, default = 125). range[1-65535] set query-timeout {integer} Timeout between queries before becoming querier for network (60 - 900, default = 255). range[60-900] set router-alert-check {enable | disable} Enable/disable require IGMP packets contain router alert option. next end
Additional information
The following section is for those options that require additional explanation.
route-threshold {integer}
Specify the number of multicast routes that can be added to the routing table before a warning message is displayed (1 -.2 147 483 674, default = 2 147 483 674) The route‑threshold value
must be lower than the route‑limit
.
config interface
Use this subcommand to change interface-related PIM settings, including the mode of operation (sparse or dense). Global settings do not override interface-specific settings.
cisco-exclude-genid {enable | disable}
Note: This field is available when pim-mode
is sparse-mode
.
Enable or disable (by default) including a generation ID in hello messages sent to neighboring PIM routers. A GenID value may be included for compatibility with older Cisco IOS routers.
dr-priority {integer}
Note: This field is available when pim-mode
is sparse-mode
.
Assign a priority to FortiGate unit Designated Router (DR) candidacy (1 to 4 294 967 294, default = 1). The value is compared to that of other DR interfaces connected to the same network segment, and the router having the highest DR priority is selected to be the DR. If two DR priority values are the same, the interface having the highest IP address is selected.
hello-holdtime <seconds>
Specify the amount of time that a PIM neighbor may consider the information in a hello message to be valid (1 - 65 535 seconds, default = 150).
If the hello-interval
attribute is modified and the hello-holdtime
attribute has never been set explicitly, the hello-holdtime
attribute is automatically set to 3.5 x hello-interval
.
hello-interval <seconds>
Specify the amount of timethat the FortiGate waits between sending hello messages to neighboring PIM routers (1 - 65 535 seconds, default = 30).
Changing the hello-interval
attribute may automatically update the hello-holdtime
attribute.
multicast-flow {string}
Connect the named multicast flow to this interface. You must create the multicast flow before it can be selected here, see router multicast-flow.
neighbour-filter <access list>
Establish or terminate adjacency with PIM neighbors having the IP addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
propagation-delay <milliseconds>
Note: This field is available when pim-mode
is dense-mode
.
Specify the amount of time that the FortiGate waits to send prune-override messages (100 - 5 000, default = 500).
rp-candidate {enable | disable}
Note: This field is available when pim-mode
is sparse-mode
.
Enable or disable (by default) the FortiGate interface offering Rendezvous Point (RP) services.
rp-candidate-group <access list>
Note: This field is available when rp-candidate
is enabled.
Set the RP candidacy to be advertised to certain multicast groups, based on prefixes given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
rp-candidate-interval <seconds>
Note: This field is available when rp-candidate
is enabled.
Set the amount of time that the FortiGate waits between sending RP announcement messages (1 - 16 383 seconds, default = 60).
rp-candidate-priority {string}
Note: This field is available when rp-candidate
is enabled.
Assign a priority to FortiGate unit Rendezvous Point (RP) candidacy (0 - 255, default = 192).
The BSR compares the value to that of other RP candidates that can service the same multicast group, and the router having the highest RP priority is selected to be the RP for that multicast group. If two RP priority values are the same, the RP candidate having the highest IP address on its RP interface is selected.
state-refresh-interval <seconds>
Note: This field is available when pim-mode
is dense-mode
.
Set the amount of timethat the FortiGate waits between sending state-refresh messages (1 - 100 seconds, default = 60).
When a state-refresh message is received by a downstream router, the prune state on the downstream router is refreshed.
static-group {string}
Statistically set multicast groups to forward out using a multicast flow. . You must create the multicast flow before it can be selected here, see router multicast-flow.
config igmp
Use this subcommand to configure Internet Group Management Protocol (IGMP) for multicast interfaces.
access-group <access list>
Set the groups that IGMP hosts are allowed to join, based on prefixes given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
immediate-leave-group <access list>
Note: This field is available when version
is set to 2
or 3
.
Configure a FortiGate DR to stop sending traffic and IGMP queries to receivers after receiving an IGMP version 2 group-leave message from any member of the multicast groups identified in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
last-member-query-count {string}
Note: This field is available when version
is set to 2
or 3
.
Specify the number of times that a FortiGate unit DR sends an IGMP query to the last member of a multicast group after receiving an IGMP version 2 group-leave message.
last-member-query-interval <milliseconds>
Note: This field is available when version
is set to 2
or 3
.
Set the amount of time that a FortiGate unit DR waits for the last member of a multicast group to respond to an IGMP query (1000 - 25 500 milliseconds, default = 1 000).
If no response is received before the specified time expires and the FortiGate unit DR has already sent an IGMP query last-member-query-count times, the FortiGate unit DR removes the member from the group and sends a prune message to the associated RP.
config pim-sm-global
These global settings apply only to sparse mode PIM-enabled interfaces. Global PIM settings do not override interface-specific PIM settings. |
Use this subcommand to configure a DR to send multicast packets to a particular RP by specifying the IP address of the RP through the config rp-address variable. The IP address must be directly accessible to the DR. If multicast packets from more than one multicast group can pass through the same RP, you can use an access list to specify the associated multicast group addresses.
accept-register-list <access list>
Configure which sources are allowed to register packets with this RP, using the source IP addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
accept-source-list <access list>
Configure which sources are allowed to send multicast traffic, using the source IP addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
bsr-hash <number of bits>
Note: This field is available when bsr-candidate
is enabled.
Set the length of the mask to apply to multicast group addresses in order to derive a single RP for one or more multicast groups (0 - 32, default = 10). For example, a value of 24 means that the first 24 bits of the group address are significant. All multicast groups having the same seed hash belong to the same RP.
bsr-interface <interface name>
Note: This field is available when bsr-candidate
is enabled.
Specify the name of the PIM-enabled interface through which the FortiGate unit may announce BSR candidacy.
bsr-priority {string}
Note: This field is available when bsr-candidate
is enabled.
Assign a priority to FortiGate unit BSR candidacy (0 - 255, default = 0). This value is compared to that of other BSR candidates and the candidate having the highest priority is selected to be the BSR. If two BSR priority values are the same, the BSR candidate having the highest IP address on its BSR interface is selected.
cisco-register-checksum-group <access list>
Note: This field is available when cisco-register-checksum
is enabled.
Identify on which PIM packets to perform a whole-packet register checksum based on the multicast group addresses in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
You may choose to register checksums on entire PIM packets for compatibility with older Cisco IOS routers.
register-source {disable | interface | ip-address}
Select a method of overriding the source address in register packets:
disable
: retain the IP address of the FortiGate unit DR interface that faces the RP.interface
: change the IP source address of a register packet to the IP address of a particular FortiGate unit interface. The register-source-interface attribute specifies the interface name.ip-address
: change the IP source address of a register packet to a particular IP address. The register-source-ip attribute specifies the IP address (default).
register-source-interface <interfacename>
Note: This field is available when register-source
is set to interface
.
Enter the name of the FortiGate unit interface.
register-source-ip <IPv4 address>
Note: This field is available when register-source
is set to ip-address
.
Enter the IP source address to include in the register message.
rp-register-keepalive <seconds>
Set the frequency with which the FortiGate sends keepalive messages to a DR (1 - 65 535, default = 185). The two routers exchange keepalive messages to maintain a link for as long as the source continues to generate traffic.
If the register-suppression
attribute is modified on the RP and the rp-register-keepalive
attribute has never been set explicitly, the rp-register-keepalive
attribute is set to (3 x register-suppression
) + 5 automatically.
spt-threshold-group <access list>
Note: This field is available when spt-threshold
is enabled.
Build an SPT only for the multicast group addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
ssm {enable | disable}
Note: This field is available when IGMP version
on the interface is set to 3
.
Enable (by default) or disable Source Specific Multicast (SSM) interactions (see RFC 3569).
ssm-range <access list>
Note: This field is available when ssm
is enabled.
Enable SSM only for the multicast addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
By default, multicast addresses in the 232.0.0.0 to 232.255.255.255 (232/8) range are used to support SSM interactions.
config rp-address
Note: This subcommand is available when pim-mode
is sparse-mode
.
Use this subcommand to statically configure RP addresses.
group <access list>
Configure a single static RP for the multicast group addresses given in the specified access list. You must create the access list before it can be selected here, see router {access-list | access-list6}.
If an RP for any of these group addresses is already known to the BSR, the static RP address is ignored and the RP known to the BSR is used instead.