IGMP Querier Managed FortiSwitch – Bruderer Research GmbH

IGMP Snooping Querier with Managed FortiSwitch

Post author:Peter Bruderer
Post published:30.07.2020
Post category:Fortinet / TCP/IP

⇒Here I wrote how to configure a FortiGate with managed FortiSwitches as IGMP querier. It is a good solution if the multicast traffic has to pass the FortiGate. If the multicast traffic has to remain in the local subnet, this configuration has a big disadvantage. All multicast streams are sent towards the FortiGate. Having multiple TV streams, this will saturate the firewall interface quickly.

Using a pure layer 2 multicast application you better use the IGMP snooping querier directly on the FortiSwitch.

For an AV over IP project from ⇒Crestron we had to find out the configuration by try and error.

The problem we have is well ⇒documented by Cisco. But with managed FortiSwitches, it works completely different.

Here the way how to configure it:

The VLAN used must have IGMP snooping activated. Using MCLAG must use IGMP proxy. These settings are done directly on the FortiGate.

config system interface
    edit "v0007_client"
        set vdom "root"
        set ip 10.0.3.254 255.255.255.0
        set allowaccess ping 
        set switch-controller-igmp-snooping enable
        set switch-controller-igmp-snooping-proxy enable
        set switch-controller-igmp-snooping-fast-leave enable
    next
end

IGMP Snooping is now configured, but we do not receive membership reports yet.

Now we configure IGMP snooping querier on all switches.

This must be configured directly on the FortiSwitch. So use the CLI to connect to it and add the configuration:

config switch vlan
    edit 7
        set igmp-snooping enable
        set igmp-snooping-querier enable
        set querier-addr 10.0.3.254
        set igmp-proxy enable
    next
end

The important parameters are igmp-snooping-querier enable and querier-addr. The IP address used for querier-addr has to be an IP address from the subnet used. Alternatively, you can use 0.0.0.0 as querier-addr.

We use the IP address configured on the FortiGate VLAN. So it is basically the same address as the gateway.

Once configured, the switch sends query requests. All multicast receiver in this subnet respond now to these requests. That allows all switches to fill the forwarding tables. Multicast traffic is now only sent to ports with a receiver expecting the stream.

Starting with FortiOS 7.0.2 you can configure the igmp-snooping-querier directly on the FortiGate:

config switch-controller managed-switch
   edit S248EF1234X891
      config igmp-snooping
         set local-override enable
         config vlans
            edit v0007_client
               set proxy enable
               set querier enable
               set querier-addr 0.0.0.0
            next
         end
      end
   next
end

The frequency of the queries has to be configured directly on the switch too.

config switch igmp-snooping globals
    set query-interval 60
end

In this example, the switch sends a query every 60 seconds. By default it is 120 seconds.

Or you configure it directly on the Fortigate using a custom command for the FortiSwitch.

One important thing: If you do not want to configure the querier on all switches, you have to configure a querier on every switch, which got a multicast sender connected.

Tags: FortiGate, TCP/IP

You Might Also Like

Fortigate Firewall Performance Troubleshooting

Biggest risks of IPv6

Fortigate Firewall General Troubleshooting