IGMP snooping
The FortiSwitch unit uses the information passed in IGMP messages to optimize the forwarding of multicast traffic.
IGMP snooping allows the FortiSwitch unit to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
Essentially, IGMP snooping is a layer-2 optimization for the layer-3 IGMP.
The current version of IGMP is version 3, and the FortiSwitch unit is also compatible with IGMPv1 and IGMPv2.
Here is the basic IGMP snooping operation:
- A host expresses interest in joining a multicast group. (Sends or responds to a join message).
- The FortiSwitch unit creates an entry in the layer-2 forwarding table (or adds the hostʼs port to an existing entry). The switch creates one table entry per VLAN per multicast group.
- The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request IGMP reports. The FortiSwitch unit uses the IGMP reports to update the layer-2 forwarding table.
NOTE: If you want to use IGMP snooping with an MCLAG, see Configuring an MCLAG with IGMP snooping.
This chapter covers the following topics:
Notes
- On the FS-100E series, IGMP snooping can be enabled on a maximum of 6 VLANs.
- Enabling the
set flood-unknown-multicast
command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned. - Currently, IGMPv3 (source-specific) is not fully supported. FortiSwitchOS can identify the IGMPv3 query/report messages, but the multicast group creation and traffic replication are based on the multicast group address and VLAN only (IGMPv2 operation).
- The IGMP snooping entries are added based on multicast group MAC address.
- When IGMP snooping is enabled on a VLAN on the FSR-112D-POE model:
- All IPv6 multicast and any non-IP multicast are forwarded to querier ports only instead of getting flooded on the VLAN. The forwarding of IPv6 to the CPU is unchanged.
- IPv4 reserved multicast is flooded to the VLAN and not forwarded to the CPU, even if the CPU is part of the VLAN.
- Unregistered IPv4 multicast is forwarded to querier ports only.
If IPv6 multicast and/or non-IP multicast is expected to be forwarded to any ports other than querier ports, the
igmps-flood-traffic
setting can be enabled on the required ports. - Starting with FortiSwitchOS 6.4.0, when an inter-switch link (ISL) is formed automatically, the
igmps-flood-reports
andigmps-flood-traffic
options are disabled by default. - Starting with FortiSwitchOS 6.2.2, the following snooping table limits apply:
Platform Series |
IGMP Snooping Table Limit |
---|---|
108E and 124E |
1022 |
112D |
895 |
200 |
1022 |
400 |
1022 |
500 |
1022 |
1024 and 1048 |
1022 |
3032 |
1022 |
NOTE: Until FortiSwitchOS 3.5.1, the table limits were hardware only. The software limit for all platforms was 8192.
Configuring IGMP snooping
Configuring IGMP snooping consists of the following major steps:
- Configure IGMP snooping on a global level.
- Optional. Enable IGMP-snooping options on the interfaces.
- Configure IGMP snooping on the VLANs.
1. Configure IGMP snooping on a global level
By default, the maximum time (aging-time
) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast
is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast
, unregistered multicast packets are forwarded to all ports in the VLAN.
Using the CLI:
config switch igmp-snooping globals
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
end
For example:
config switch igmp-snooping globals
set aging-time 500
set flood-unknown-multicast enable
end
2. Enable IGMP-snooping options on the interfaces
Optional. You can flood IGMP reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.
Using the GUI:
- Go to Switch > Interface > Physical or Switch > Interface > Trunk.
- Select an interface.
- Select Edit.
- In the IGMP Snooping area, select Flood Reports, Flood Traffic, or both if needed.
- Select OK.
Using the CLI:
config switch interface
edit <port>
set native-vlan <vlan-id>
set igmps-flood-reports {enable | disable}
set igmps-flood-traffic {enable | disable}
next
end
For example:
config switch interface
edit port10
set native-vlan 30
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
edit port2
set native-vlan 30
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
edit port4
set native-vlan 30
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
edit port6
set native-vlan 30
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
edit port8
set native-vlan 30
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
end
Use the following command to clear the learned/configured multicast group from an interface:
execute clear switch igmp-snoop
3. Configure IGMP snooping on the VLANs
Enable IGMP snooping on a specified VLAN and configure IGMP static groups. By default, IGMP snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has IGMP snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for IGMP static groups:
- The range of multicast addresses (mcast-addr) from 224.0.0.1 to 224.0.0.255 cannot be used.
- The VLAN must already be assigned as the native VLAN for a switch interface and be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for IGMP static groups.
Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP reports. After you enable igmp-proxy
on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to the upstream interface.
Using the GUI:
- Go to Switch > VLAN.
- Select Add VLAN.
- In the ID field, enter the VLAN identifier.
- In the Description field, enter a description for the new VLAN.
- In the IGMP Snooping area, select Enable.
- Optionally, select IGMP Proxy.
- In the IGMP Static Groups area, select + to add an IGMP static group.
NOTE: If the VLAN identifier that you entered in step 3 is not already assigned as the native VLAN for an interface and is not included in the range of allowed VLANs for an interface, the + button does not work. - In the Name field, enter a name for the IGMP static group.
- In the Multicast Address field, enter the multicast address.
- Select the interfaces to include.
- Select Add to create the new VLAN.
Using the CLI:
config switch vlan
edit <vlan-id>
set igmp-snooping {enable |disable}
set igmp-proxy {enable | disable}
config igmp-static-group
edit <group-name>
set mcast-addr <multicast-address>
set members <interface>
next
end
next
end
For example, to configure two static groups for the same VLAN:
config switch vlan
edit 30
set igmp-snooping enable
config igmp-static-group
edit g239-1-1-1
set mcast-addr 239.1.1.1
set members port2 port5 port28
next
edit g239-2-2-2
set mcast-addr 239.2.2.2
set members port5 port10 trunk-1
next
end
next
end
Check the IGMP-snooping configuration
Use the following command to display information about IGMP snooping:
# get switch igmp-snooping (globals | group | interface | static-group)
-
globals
: display the IGMP snooping global configuration on the FortiSwitch unit -
group
: display a list of learned groups -
interface
: display the configured IGMP snooping interfaces and their current state -
static-group
: display the list of configured static groups
Display the IGMP snooping global settings:
FS1D243Z13000023 # get switch igmp-snooping globals
aging-time : 300
flood-unknown-multicast: disabled
Go to Switch > Monitor > IGMP Snooping to see the learned multicast groups:
Use the following CLI command to see the learned multicast groups:
FS1D243Z13000023 # get switch igmp-snooping group
Number of Groups: 7
port of-port VLAN GROUP Age
(__port__9) 1 23 231.8.5.4 16
(__port__9) 1 23 231.8.5.5 16
(__port__9) 1 23 231.8.5.6 16
(__port__9) 1 23 231.8.5.7 16
(__port__9) 1 23 231.8.5.8 16
(__port__9) 1 23 231.8.5.9 16
(__port__9) 1 23 231.8.5.10 16
(__port__43) 3 23 querier 17
(__port__14) 8 --- flood-reports ---
(__port__10) 2 --- flood-traffic ---
Display the list of configured static groups:
FS1D243Z13000023 # get switch igmp-snooping static-group
VLAN ID Group-Name Multicast-addr Member-interface
_______ ______________ _______________ _________________________
11 g239-1 239:1:1:1 port6 trunk-2
11 g239-11 239:2:2:11 port26 port48 trunk-2
40 g239-1 239:1:1:1 port5 port25 trunk-2
40 g239-2 239:2:2:2 port25 port26
Configuring the IGMP querier
To use the IGMP querier, you need to configure how often IGMP queries are sent, enable the IGMP querier for a specific VLAN, and specify the address for the IGMP querier.
Use the following commands to specify how many seconds are between IGMP queries. The default is 120 seconds.
config switch igmp-snooping globals
set query-interval <10-1200>
end
For example:
config switch igmp-snooping globals
set aging-time 150
set flood-unknown-multicast enable
set query-interval 200
end
Use the following commands to enable the IGMP querier for a specific VLAN and specify the address that IGMP reports are sent to:
config switch vlan
edit 100
set igmp-snooping {enable | disable}
set igmp-snooping-querier {enable | disable}
set querier-addr <IPv4_address>
next
end
For example:
config switch vlan
edit 100
set igmp-snooping enable
set igmp-snooping-querier enable
set querier-addr 1.2.3.4
next
end
Configuring mRouter ports
Use the following commands to configure a FortiSwitch port as an mRouter port:
NOTE: These settings are not per-VLAN, so the port will act as a querier/mRouter port for all of its associated VLANs.
config switch interface
edit <port>
set igmps-flood-reports enable
set igmps-flood-traffic enable
next
end