⇒Here I wrote how to configure a FortiGate with managed FortiSwitches as IGMP querier. It is a good solution if the multicast traffic has to pass the FortiGate. If the multicast traffic has to remain in the local subnet, this configuration has a big disadvantage. All multicast streams are sent towards the FortiGate. Having multiple TV streams, this will saturate the firewall interface quickly.
Using a pure layer 2 multicast application you better use the IGMP snooping querier directly on the FortiSwitch.
For an AV over IP project from ⇒Crestron we had to find out the configuration by try and error.
The problem we have is well ⇒documented by Cisco. But with managed FortiSwitches, it works completely different.
Here the way how to configure it:
The VLAN used must have IGMP snooping activated. Using MCLAG must use IGMP proxy. These settings are done directly on the FortiGate.
config system interface edit "v0007_client" set vdom "root" set ip 10.0.3.254 255.255.255.0 set allowaccess ping set switch-controller-igmp-snooping enable set switch-controller-igmp-snooping-proxy enable set switch-controller-igmp-snooping-fast-leave enable next end
IGMP Snooping is now configured, but we do not receive membership reports yet.
Now we configure IGMP snooping querier on all switches.
This must be configured directly on the FortiSwitch. So use the CLI to connect to it and add the configuration:
config switch vlan edit 7 set igmp-snooping enable set igmp-snooping-querier enable set querier-addr 10.0.3.254 set igmp-proxy enable next end
The important parameters are igmp-snooping-querier enable and querier-addr. The IP address used for querier-addr has to be an IP address from the subnet used. Alternatively, you can use 0.0.0.0 as querier-addr.
We use the IP address configured on the FortiGate VLAN. So it is basically the same address as the gateway.
Once configured, the switch sends query requests. All multicast receiver in this subnet respond now to these requests. That allows all switches to fill the forwarding tables. Multicast traffic is now only sent to ports with a receiver expecting the stream.
Starting with FortiOS 7.0.2 you can configure the igmp-snooping-querier directly on the FortiGate:
config switch-controller managed-switch edit S248EF1234X891 config igmp-snooping set local-override enable config vlans edit v0007_client set proxy enable set querier enable set querier-addr 0.0.0.0 next end end next end
The frequency of the queries has to be configured directly on the switch too.
config switch igmp-snooping globals set query-interval 60 end
In this example, the switch sends a query every 60 seconds. By default it is 120 seconds.
Or you configure it directly on the Fortigate using a custom command for the FortiSwitch.
One important thing: If you do not want to configure the querier on all switches, you have to configure a querier on every switch, which got a multicast sender connected.