IGMP Querier with Managed FortiSwitches

If you need to configure an IGMP querier on managed FortiSwitches, you find nothing in the documentation.

Once you know how it works, it is very simple. The interface of the FortiGate becomes the querier. Like everything more sophisticated on the FortiGate, you use the CLI to configure it.

First, you activate multicast routing on the one interface, where you need the querier. In this case the interface because automatically the querier. This solution is used, if you want to route multicast traffic.

config router multicast
    set multicast-routing enable
    config interface
        edit "v0009_av"
            set pim-mode sparse-mode
            set passive enable
            config igmp
                set access-group "v0009-mcast-router"
            end
        next
    end
end

In our example, with “set passive enable“, the FortiGate does not send out any PIM information. The FortiGate only accepts and sends IGMP messages.

# get router info multicast igmp interface 
Interface v0009_av (Index 54)
 IGMP Enabled, Active, Querier, Configured for version 3
 Internet address is 10.200.9.254
 IGMP query interval is 125 seconds
 IGMP querier timeout is 255 seconds
 IGMP max query response time is 10 seconds
 Last member query response interval is 1000 milliseconds
 Group Membership interval is 260 seconds
 Router Alert options not required in IGMP packets

Once multicast routing is enabled, the FortiGate automatically registers all IGMP groups found.

# get router info multicast igmp groups 
IGMP Connected Group Membership
Group Address    Interface            Uptime   Expires          Last Reporter
224.0.1.129      v0009_av             02:00:08 00:03:27         0.0.0.0
239.255.255.250  v0009_av             02:00:08 00:03:27         0.0.0.0
239.255.255.255  v0009_av             02:00:08 00:03:27         0.0.0.0

There are cases, where you do not want to receive some multicast streams (or IGMP groups). Therefor you configure an “access-group”. This group is a router access list. It contains the addresses which are permitted or denied.

config router access-list
    edit "v0009-mcast-router"
        config rule
            edit 1
                set action deny
                set prefix 239.2.0.0 255.255.0.0
            next
        end
    next
end

In our example we do not accept join requests for 239.2.0.0/255.255.0.0.

Well, the IGMP querier is now configured.

Using IGMP querier means, that we also have to configure IGMP snooping. If a switch does IGMP snooping, in only forwards multicast traffic on interfaces, where a receiver registered for an IGMP group.

This is configured on the interface of the FortiGate

config system interface
    edit "v0009_av"
        set vdom "root"
        set ip 10.200.9.254 255.255.255.0
        set allowaccess ping
        set switch-controller-igmp-snooping enable
        set switch-controller-igmp-snooping-proxy enable
        set switch-controller-igmp-snooping-fast-leave enable
        set interface "fl"
        set vlanid 9
    next
end

First, you turn on IGMP snooping, “Fast Leave” and if you have a switch configuration with MCLAG, you need to turn on IGMP proxy.

In the case of audio and video streaming y0u have to make sure, to accept only know multicast streams. This is configured with “Storm Control”

config switch-controller storm-control
    set rate 100
    set unknown-unicast enable
    set unknown-multicast enable
    set broadcast enable
end

A last important point. By default the FortiGate uses multicast forward. As a rule of thumb, either you use multicast forward or multicast router. For this reason we turn of multicast forward.

config system settings
    set multicast-forward disable
end

Use the following command, to see if you IGMP querier and IGMP snooping configuration works:

# diagnose switch-controller switch-info igmp-snooping group 

...

S124EN5918006393:

IGMP-SNOOPING mcast-groups:
Max Entries: 1022

Number of groups: 1

port		 VLAN	 GROUP				 Age-timeout	  IGMP-Version
_FlInK1_MLAG0_	 7   	 querier			 95		  --
port3         	 7   	 239.255.255.250 		 233		  IGMPv3

Here you see all active groups on their interfaces.