Example PIM configuration that uses BSR to find the RP

Leave a reply

Adding the NAT multicast policy

In this example, the incoming multicast policy does the address translation.

The NAT address should be the same as the IP address of the of loopback interface. The DNAT address is the translated address, which should be a new group.

config firewall multicast-policy edit 1

set dstintf port6

set srcintf lo0 next

edit 2

set dnat 238.1.1.1 set dstintf lo0

set nat 1.4.50.4 set srcintf port1

next

 

Configuration steps

In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1, and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used in this example to distribute routes including the loopback interface. All firewalls have full mesh security policies to allow any to any.

  • In the FortiGate-500A_1 configuration, the NAT policy translates source address 236.1.1.1 to 237.1.1.1
  • In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to 238.1.1.1
  • Source 236.1.1.1 is injected into network as well.

 

The following procedures include the CLI commands for configuring each of the FortiGate units in the example configuration.

 

To configure FortiGate-500A_1

1. Configure multicast routing.

config router multicast config interface

edit port5

set pim-mode sparse-mode next

edit port4

set pim-mode sparse-mode next

edit lan

set pim-mode sparse-mode next

edit port1

set pim-mode sparse-mode next

edit lo999

set pim-mode sparse-mode next

edit lo0

set pim-mode sparse-mode set rp-candidate enable set rp-candidate-group 1

next end

set multicast-routing enable config pim-sm-global

set bsr-candidate enable set bsr-interface lo0

end end

2. Add multicast security policies.

config firewall multicast-policy edit 1

set dstintf port5 set srcintf port4

next edit 2

set dstintf port4 set srcintf port5

next edit 3 next

end

3. Add router access lists.

config router access-list edit 1

config rule edit 1

set prefix 228.1.1.1 255.255.255.255 set exact-match enable

next edit 2

set prefix 237.1.1.1 255.255.255.255 set exact-match enable

next edit 3

set prefix 238.1.1.1 255.255.255.255 set exact-match enable

next end

next end

 

To configure FortiGate-500A_2

1. Configure multicast routing.

config router multicast config interface

edit “lan”

set pim-mode sparse-mode

next

edit “port5”

set pim-mode sparse-mode

next

edit “port2”

set pim-mode sparse-mode next

edit “port4”

set pim-mode sparse-mode next

edit “lo_5”

set pim-mode sparse-mode config join-group

edit 236.1.1.1 next

end next

end

set multicast-routing enable end

2. Add multicast security policies.

config firewall multicast-policy edit 1

set dstintf lan set srcintf port5

next edit 2

set dstintf port5 set srcintf lan

next edit 4

set dstintf lan set srcintf port2

next edit 5

set dstintf port2 set srcintf lan

next edit 7

set dstintf port1 set srcintf port2

next edit 8

set dstintf port2 set srcintf port1

next edit 9

set dstintf port5 set srcintf port2

next edit 10

set dstintf port2 set srcintf port5

next edit 11

set dnat 237.1.1.1 set dstintf lo_5 set nat 5.5.5.5

set srcintf port2 next

edit 12

set dstintf lan set srcintf lo_5

next edit 13

set dstintf port1 set srcintf lo_5

next edit 14

set dstintf port5 set srcintf lo_5

next edit 15

set dstintf port2 set srcintf lo_5

next edit 16 next

end

Pages: 1 2 3
This entry was posted in FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.