Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Enhanced PIM support for VRFs 7.6.1

    Enhanced PIM support for VRFs 7.6.1

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    PIM now supports all VRFs (up to 511) and is aware of IPv4 multicast routing and forwarding over a single overlay, enhancing network scalability and flexibility compared to the previous VRF 0-only support.

    Per-VRF commands have been included for multicast routing, as follows:

    config router multicast
    config pim-sm-global-vrf
        edit <vrf>
            set bsr-candidate {enable | disable}
            set bsr-interface <interface>
            set bsr-priority <0-255, default = 0>
            set bsr-hash <0-32, default = 10>
            set bsr-allow-quick-refresh {enable | disable}
            set cisco-crp-prefix {enable | disable}
            config rp-address
                edit <id>
                    set ip-address <RP router IP address>
                    set group <access list name>
                next
            end
        next
    end
end

    VRF support has also been included in the following diagnose, get, and execute commands:

    diagnose ip multicast mfc-add
diagnose ip multicast mfc-del
diagnose vpn mr|mr6 add
diagnose vpn mr|mr6 del
get router info multicast igmp groups
get router info multicast igmp groups-detail
get router info multicast table
get router info multicast table-count
get router info multicast pim sparse-mode bsr-info
get router info multicast pim sparse-mode rp-mapping
get router info multicast pim sparse-mode next-hop
get router info multicast pim sparse-mode table
execute mrouter clear multicast-routes
execute mrouter clear sparse-mode-bsr
execute mrouter clear sparse-routes
execute mrouter clear statistics

    Example

    This example uses the following topology:

    In this example, the multicast server:

    • Sends out multicast traffic 225.1.1.1 from 22.1.1.22 in VRF1.

    • Sends out multicast traffic 225.1.1.2 from 22.1.1.55 in VRF2.

    To verify VRF in IPv4 multicast routing:

    1. Review the sniffer information:

      • The VRF1 client can receive 225.1.1.1 and cannot receive 225.1.1.2:

        24.872130 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872117 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872123 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872131 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872137 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request

      • The VRF2 client can receive 225.1.1.2 and cannot receive 225.1.1.1:

        4.320988 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
4.320996 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320703 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320717 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320671 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320678 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request

    2. Review the group information:

      # get router info multicast igmp groups
IGMP Connected Group Membership
VRF Group Address    Interface            Uptime   Expires          Last Reporter
1   225.1.1.1        vd3-vlan33           00:15:16 stopped(static)  0.0.0.0
2   225.1.1.2        vd3-vlan331          00:14:49 stopped(static)  0.0.0.0
    Previous
    Next

    Enhanced PIM support for VRFs 7.6.1

    Enhanced PIM support for VRFs 7.6.1

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    PIM now supports all VRFs (up to 511) and is aware of IPv4 multicast routing and forwarding over a single overlay, enhancing network scalability and flexibility compared to the previous VRF 0-only support.

    Per-VRF commands have been included for multicast routing, as follows:

    config router multicast
    config pim-sm-global-vrf
        edit <vrf>
            set bsr-candidate {enable | disable}
            set bsr-interface <interface>
            set bsr-priority <0-255, default = 0>
            set bsr-hash <0-32, default = 10>
            set bsr-allow-quick-refresh {enable | disable}
            set cisco-crp-prefix {enable | disable}
            config rp-address
                edit <id>
                    set ip-address <RP router IP address>
                    set group <access list name>
                next
            end
        next
    end
end

    VRF support has also been included in the following diagnose, get, and execute commands:

    diagnose ip multicast mfc-add
diagnose ip multicast mfc-del
diagnose vpn mr|mr6 add
diagnose vpn mr|mr6 del
get router info multicast igmp groups
get router info multicast igmp groups-detail
get router info multicast table
get router info multicast table-count
get router info multicast pim sparse-mode bsr-info
get router info multicast pim sparse-mode rp-mapping
get router info multicast pim sparse-mode next-hop
get router info multicast pim sparse-mode table
execute mrouter clear multicast-routes
execute mrouter clear sparse-mode-bsr
execute mrouter clear sparse-routes
execute mrouter clear statistics

    Example

    This example uses the following topology:

    In this example, the multicast server:

    • Sends out multicast traffic 225.1.1.1 from 22.1.1.22 in VRF1.

    • Sends out multicast traffic 225.1.1.2 from 22.1.1.55 in VRF2.

    To verify VRF in IPv4 multicast routing:

    1. Review the sniffer information:

      • The VRF1 client can receive 225.1.1.1 and cannot receive 225.1.1.2:

        24.872130 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872117 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
25.872123 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872131 vd3-vlan33 out 22.1.1.22 -> 225.1.1.1: icmp: echo request
26.872137 vd33-vlan33 in 22.1.1.22 -> 225.1.1.1: icmp: echo request

      • The VRF2 client can receive 225.1.1.2 and cannot receive 225.1.1.1:

        4.320988 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
4.320996 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320703 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
5.320717 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320671 vd3-vlan331 out 22.1.1.55 -> 225.1.1.2: icmp: echo request
6.320678 vd4-vlan331 in 22.1.1.55 -> 225.1.1.2: icmp: echo request

    2. Review the group information:

      # get router info multicast igmp groups
IGMP Connected Group Membership
VRF Group Address    Interface            Uptime   Expires          Last Reporter
1   225.1.1.1        vd3-vlan33           00:15:16 stopped(static)  0.0.0.0
2   225.1.1.2        vd3-vlan331          00:14:49 stopped(static)  0.0.0.0
    Previous
    Next