IGMP Snooping Querier with Managed FortiSwitch

⇒Here I wrote how to configure a FortiGate with managed FortiSwitches as IGMP querier. It is a good solution if the multicast traffic has to pass the FortiGate. If the multicast traffic has to remain in the local subnet, this configuration has a big disadvantage. All multicast streams are sent towards the FortiGate. Having multiple TV streams, this will saturate the firewall interface quickly.

Using a pure layer 2 multicast application you better use the IGMP snooping querier directly on the FortiSwitch.

For an AV over IP project from ⇒Crestron we had to find out the configuration by try and error.

The problem we have is well ⇒documented by Cisco. But with managed FortiSwitches, it works completely different.

Here the way how to configure it:

The VLAN used must have IGMP snooping activated. Using MCLAG must use IGMP proxy. These settings are done directly on the FortiGate.

config system interface
    edit "v0007_client"
        set vdom "root"
        set ip
        set allowaccess ping 
        set switch-controller-igmp-snooping enable
        set switch-controller-igmp-snooping-proxy enable
        set switch-controller-igmp-snooping-fast-leave enable

IGMP Snooping is now configured, but we do not receive membership reports yet.

Now we configure IGMP snooping querier on all switches.

This must be configured directly on the FortiSwitch. So use the CLI to connect to it and add the configuration:

config switch vlan
    edit 7
        set igmp-snooping enable
        set igmp-snooping-querier enable
        set querier-addr
        set igmp-proxy enable

The important parameters are igmp-snooping-querier enable and querier-addr.  The IP address used for querier-addr has to be an IP address from the subnet used. Alternatively, you can use as querier-addr.

We use the IP address configured on the FortiGate VLAN. So it is basically the same address as the gateway.

Once configured, the switch sends query requests. All multicast receiver in this subnet respond now to these requests. That allows all switches to fill the forwarding tables. Multicast traffic is now only sent to ports with a receiver expecting the stream.



Starting with FortiOS 7.0.2 you can configure the igmp-snooping-querier directly on the FortiGate:

config switch-controller managed-switch
   edit S248EF1234X891
      config igmp-snooping
         set local-override enable
         config vlans
            edit v0007_client
               set proxy enable
               set querier enable
               set querier-addr


The frequency of the queries has to be configured directly on the switch too.

config switch igmp-snooping globals
    set query-interval 60

In this example, the switch sends a query every 60 seconds. By default it is 120 seconds.

Or you configure it directly on the Fortigate using a custom command for the FortiSwitch.


One important thing: If you do not want to configure the querier on all switches, you have to configure a querier on every switch, which got a multicast sender connected.