If you need to configure an IGMP querier on managed FortiSwitches, you find nothing in the documentation.
Once you know how it works, it is very simple. The interface of the FortiGate becomes the querier. Like everything more sophisticated on the FortiGate, you use the CLI to configure it.
First, you activate multicast routing on the one interface, where you need the querier. In this case the interface becomes automatically the querier. This solution is used, if you want to route multicast traffic.
config router multicast
set multicast-routing enable
config interface
edit "v0009_av"
set pim-mode sparse-mode
set passive enable
config igmp
set access-group "v0009-mcast-router"
end
next
end
end
In our example, with “set passive enable“, the FortiGate does not send out any PIM information. The FortiGate only accepts and sends IGMP messages.
# get router info multicast igmp interface Interface v0009_av (Index 54) IGMP Enabled, Active, Querier, Configured for version 3 Internet address is 10.200.9.254 IGMP query interval is 125 seconds IGMP querier timeout is 255 seconds IGMP max query response time is 10 seconds Last member query response interval is 1000 milliseconds Group Membership interval is 260 seconds Router Alert options not required in IGMP packets
Once multicast routing is enabled, the FortiGate automatically registers all IGMP groups found.
# get router info multicast igmp groups IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.0.1.129 v0009_av 02:00:08 00:03:27 0.0.0.0 239.255.255.250 v0009_av 02:00:08 00:03:27 0.0.0.0 239.255.255.255 v0009_av 02:00:08 00:03:27 0.0.0.0
There are cases, where you do not want to receive some multicast streams (or IGMP groups). Therefor you configure an “access-group”. This group is a router access list. It contains the addresses which are permitted or denied.
config router access-list
edit "v0009-mcast-router"
config rule
edit 1
set action deny
set prefix 239.2.0.0 255.255.0.0
next
end
next
end
In our example we do not accept join requests for 239.2.0.0/255.255.0.0.
Well, the IGMP querier is now configured.
Using IGMP querier means, that we also have to configure IGMP snooping. If a switch does IGMP snooping, in only forwards multicast traffic on interfaces, where a receiver registered for an IGMP group.
This is configured on the interface of the FortiGate
config system interface
edit "v0009_av"
set vdom "root"
set ip 10.200.9.254 255.255.255.0
set allowaccess ping
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
set switch-controller-igmp-snooping-fast-leave enable
set interface "fl"
set vlanid 9
next
end
First, you turn on IGMP snooping, “Fast Leave” and if you have a switch configuration with MCLAG, you need to turn on IGMP proxy.
In the case of audio and video streaming you have to make sure, to accept only know multicast streams. This is configured with “Storm Control”
config switch-controller storm-control
set rate 100
set unknown-unicast enable
set unknown-multicast enable
set broadcast enable
end
A last important point. By default the FortiGate uses multicast forward. As a rule of thumb, either you use multicast forward or multicast router. For this reason we turn of multicast forward.
config system settings
set multicast-forward disable
endUse the following command, to see if you IGMP querier and IGMP snooping configuration works:
# diagnose switch-controller switch-info igmp-snooping group ... S124EN5918006393: IGMP-SNOOPING mcast-groups: Max Entries: 1022 Number of groups: 1 port VLAN GROUP Age-timeout IGMP-Version _FlInK1_MLAG0_ 7 querier 95 -- port3 7 239.255.255.250 233 IGMPv3
Here you see all active groups on their interfaces.