If you need to configure an IGMP querier on managed FortiSwitches, you find nothing in the documentation.
Once you know how it works, it is very simple. The interface of the FortiGate becomes the querier. Like everything more sophisticated on the FortiGate, you use the CLI to configure it.
First, you activate multicast routing on the one interface, where you need the querier. In this case the interface becomes automatically the querier. This solution is used, if you want to route multicast traffic.
config router multicast set multicast-routing enable config interface edit "v0009_av" set pim-mode sparse-mode set passive enable config igmp set access-group "v0009-mcast-router" end next end end
In our example, with “set passive enable“, the FortiGate does not send out any PIM information. The FortiGate only accepts and sends IGMP messages.
# get router info multicast igmp interface Interface v0009_av (Index 54) IGMP Enabled, Active, Querier, Configured for version 3 Internet address is 10.200.9.254 IGMP query interval is 125 seconds IGMP querier timeout is 255 seconds IGMP max query response time is 10 seconds Last member query response interval is 1000 milliseconds Group Membership interval is 260 seconds Router Alert options not required in IGMP packets
Once multicast routing is enabled, the FortiGate automatically registers all IGMP groups found.
# get router info multicast igmp groups IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 126.96.36.199 v0009_av 02:00:08 00:03:27 0.0.0.0 188.8.131.52 v0009_av 02:00:08 00:03:27 0.0.0.0 184.108.40.206 v0009_av 02:00:08 00:03:27 0.0.0.0
There are cases, where you do not want to receive some multicast streams (or IGMP groups). Therefor you configure an “access-group”. This group is a router access list. It contains the addresses which are permitted or denied.
config router access-list edit "v0009-mcast-router" config rule edit 1 set action deny set prefix 220.127.116.11 255.255.0.0 next end next end
In our example we do not accept join requests for 18.104.22.168/255.255.0.0.
Well, the IGMP querier is now configured.
Using IGMP querier means, that we also have to configure IGMP snooping. If a switch does IGMP snooping, in only forwards multicast traffic on interfaces, where a receiver registered for an IGMP group.
This is configured on the interface of the FortiGate
config system interface edit "v0009_av" set vdom "root" set ip 10.200.9.254 255.255.255.0 set allowaccess ping set switch-controller-igmp-snooping enable set switch-controller-igmp-snooping-proxy enable set switch-controller-igmp-snooping-fast-leave enable set interface "fl" set vlanid 9 next end
First, you turn on IGMP snooping, “Fast Leave” and if you have a switch configuration with MCLAG, you need to turn on IGMP proxy.
In the case of audio and video streaming you have to make sure, to accept only know multicast streams. This is configured with “Storm Control”
config switch-controller storm-control set rate 100 set unknown-unicast enable set unknown-multicast enable set broadcast enable end
A last important point. By default the FortiGate uses multicast forward. As a rule of thumb, either you use multicast forward or multicast router. For this reason we turn of multicast forward.
config system settings set multicast-forward disable end
Use the following command, to see if you IGMP querier and IGMP snooping configuration works:
# diagnose switch-controller switch-info igmp-snooping group ... S124EN5918006393: IGMP-SNOOPING mcast-groups: Max Entries: 1022 Number of groups: 1 port VLAN GROUP Age-timeout IGMP-Version _FlInK1_MLAG0_ 7 querier 95 -- port3 7 22.214.171.124 233 IGMPv3
Here you see all active groups on their interfaces.