Fortinet black logo

Handbook

Multicast processing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:766151
Download PDF

Multicast processing

In transparent mode, a FortiGate does not forward frames with multicast destination MAC addresses by default. If multicast traffic is required, multicast policies are recommended to allow finer control of this traffic.

Forwarding all multicast traffic with policy

Multicast traffic may have to be forwarded through a transparent mode device using the multicast-skip-policysystem setting. This is the configuration for this solution:

config system settings

set multicast-skip-policy enable

end

In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.

Configuring firewall multicast-policy

The use of firewall multicast-policy allows a finer control over the multicast packets. Hereafter are some commented examples. Note that the parameter multicast-skip-policy mentioned above must be left to disabled.

Those policies can only be configured from the CLI.

1. Simple policy

config firewall multicast-policy

edit 1

set action accept

next

end

In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.

2. To restrict incoming and outgoing interfaces:

config firewall multicast-policy

edit 1

set srcintf "port1"

set dstintf "port2"

set action accept

next

end

3. To be more restrictive (example to allow RIP2 packets from port1 to port2 and sourced by 10.10.0.10):

config firewall multicast-policy

edit 1

set srcintf "port1"

set srcaddr 10.10.0.10 255.255.255.255

set dstintf "port2"

set dstaddr 224.0.0.9 255.255.255.255

set action accept

next

end

4. This policy will allow all 224.0.0.0/255 range (OSPF, RIPv2, DVMPR…) from port1 to port2

config firewall multicast-policy

edit 1

set srcintf "port1"

set dstintf "port2"

set dstaddr 224.0.0.0 255.255.255

set action accept

next

end

Multicast processing

In transparent mode, a FortiGate does not forward frames with multicast destination MAC addresses by default. If multicast traffic is required, multicast policies are recommended to allow finer control of this traffic.

Forwarding all multicast traffic with policy

Multicast traffic may have to be forwarded through a transparent mode device using the multicast-skip-policysystem setting. This is the configuration for this solution:

config system settings

set multicast-skip-policy enable

end

In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.

Configuring firewall multicast-policy

The use of firewall multicast-policy allows a finer control over the multicast packets. Hereafter are some commented examples. Note that the parameter multicast-skip-policy mentioned above must be left to disabled.

Those policies can only be configured from the CLI.

1. Simple policy

config firewall multicast-policy

edit 1

set action accept

next

end

In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.

2. To restrict incoming and outgoing interfaces:

config firewall multicast-policy

edit 1

set srcintf "port1"

set dstintf "port2"

set action accept

next

end

3. To be more restrictive (example to allow RIP2 packets from port1 to port2 and sourced by 10.10.0.10):

config firewall multicast-policy

edit 1

set srcintf "port1"

set srcaddr 10.10.0.10 255.255.255.255

set dstintf "port2"

set dstaddr 224.0.0.9 255.255.255.255

set action accept

next

end

4. This policy will allow all 224.0.0.0/255 range (OSPF, RIPv2, DVMPR…) from port1 to port2

config firewall multicast-policy

edit 1

set srcintf "port1"

set dstintf "port2"

set dstaddr 224.0.0.0 255.255.255

set action accept

next

end