Fortinet black logo

MLD snooping

Copy Link
Copy Doc ID d49b948d-6c99-11eb-9995-00505692583a:607215
Download PDF

MLD snooping

The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the forwarding of IPv6 multicast traffic.

MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not contain a multicast listener.

FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD proxy and MLD querier.

Here is the basic MLD-snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.

This chapter covers the following topics:

Notes

  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The MLD-snooping entries are added based on multicast group IP addresses.
  • IGMP snooping and MLD snooping share the same lookup table. Starting with FortiSwitchOS 6.4.5, the following snooping table limits apply:
    FortiSwitch Models Snooping Table Limit
    FSR-112D-POE 4,096
    FSR-124D, FS-2xxD, FS-2xxE, FS-4xxD, FS-4xxE, FS-M426E-FPOE 1,024
    FS-124E, FS-124F, and FS-108E 1,024
    FS-148E and FS-148F 4,096
    FS-5xx 8,192 (IGMP snooping) and 6,144 (MLD snooping)
    FS-1048E 8,192

Configuring MLD snooping

Configuring MLD snooping consists of the following major steps:

  1. Configure MLD snooping on a global level.
  2. Optional. Enable MLD-snooping options on the interfaces.
  3. Configure MLD snooping on the VLANs.

1. Configure MLD snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch mld-snooping globals

set aging-time <15-3600>

end

config switch global

set flood-unknown-multicast {enable | disable}

end

For example:

config switch mld-snooping globals

set aging-time 500

end

config switch global

set flood-unknown-multicast enable

end

2. Enable MLD-snooping options on the interfaces

Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set mld-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

For example:

config switch interface

edit port10

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set mld-snooping-flood-reportsenable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

Use the following command to clear the learned/configured multicast group from an interface:

execute clear switch mld-snooping

3. Configure MLD snooping on the VLANs

Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for MLD static groups:

  • The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
  • The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for MLD static groups.

You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.

Using the CLI:

config switch vlan

edit <vlan-id>

set mld-snooping {enable |disable}

set mld-snooping-proxy {enable | disable}

config mld-snooping-static-group

edit <group-name>

set mcast-addr <IPv6_multicast_address>

set members <interface_name1> <interface_name2>...

next

end

next

end

For example:

config switch vlan

edit 30

set mld-snooping enable

config mld-snooping-static-group

edit g239-1-1-1

set mcast-addr FF3E::1

set members port2 port5 port28

next

end

next

end

Check the MLD-snooping configuration

Use the following commands to display information about MLD snooping:

# get switch mld-snooping {globals | group | static-group | status}

  • globals: display the MLD-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of MLD-snooping VLANs and group

Configuring the MLD querier

To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a specific VLAN. Optionally, you can specify the address for the MLD querier.

Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.

config switch mld-snooping globals

set query-interval <10-1200>

end

For example:

config switch mld-snooping globals

set aging-time 150

set query-interval 200

end

Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports are sent to:

config switch vlan

edit 100

set mld-snooping {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

next

end

For example:

config switch vlan

edit 100

set mld-snooping enable

set mld-snooping-querier enable

set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5

next

end

MLD snooping

The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the forwarding of IPv6 multicast traffic.

MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not contain a multicast listener.

FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD proxy and MLD querier.

Here is the basic MLD-snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.

This chapter covers the following topics:

Notes

  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The MLD-snooping entries are added based on multicast group IP addresses.
  • IGMP snooping and MLD snooping share the same lookup table. Starting with FortiSwitchOS 6.4.5, the following snooping table limits apply:
    FortiSwitch Models Snooping Table Limit
    FSR-112D-POE 4,096
    FSR-124D, FS-2xxD, FS-2xxE, FS-4xxD, FS-4xxE, FS-M426E-FPOE 1,024
    FS-124E, FS-124F, and FS-108E 1,024
    FS-148E and FS-148F 4,096
    FS-5xx 8,192 (IGMP snooping) and 6,144 (MLD snooping)
    FS-1048E 8,192

Configuring MLD snooping

Configuring MLD snooping consists of the following major steps:

  1. Configure MLD snooping on a global level.
  2. Optional. Enable MLD-snooping options on the interfaces.
  3. Configure MLD snooping on the VLANs.

1. Configure MLD snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch mld-snooping globals

set aging-time <15-3600>

end

config switch global

set flood-unknown-multicast {enable | disable}

end

For example:

config switch mld-snooping globals

set aging-time 500

end

config switch global

set flood-unknown-multicast enable

end

2. Enable MLD-snooping options on the interfaces

Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set mld-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

For example:

config switch interface

edit port10

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set mld-snooping-flood-reportsenable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

Use the following command to clear the learned/configured multicast group from an interface:

execute clear switch mld-snooping

3. Configure MLD snooping on the VLANs

Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for MLD static groups:

  • The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
  • The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for MLD static groups.

You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.

Using the CLI:

config switch vlan

edit <vlan-id>

set mld-snooping {enable |disable}

set mld-snooping-proxy {enable | disable}

config mld-snooping-static-group

edit <group-name>

set mcast-addr <IPv6_multicast_address>

set members <interface_name1> <interface_name2>...

next

end

next

end

For example:

config switch vlan

edit 30

set mld-snooping enable

config mld-snooping-static-group

edit g239-1-1-1

set mcast-addr FF3E::1

set members port2 port5 port28

next

end

next

end

Check the MLD-snooping configuration

Use the following commands to display information about MLD snooping:

# get switch mld-snooping {globals | group | static-group | status}

  • globals: display the MLD-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of MLD-snooping VLANs and group

Configuring the MLD querier

To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a specific VLAN. Optionally, you can specify the address for the MLD querier.

Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.

config switch mld-snooping globals

set query-interval <10-1200>

end

For example:

config switch mld-snooping globals

set aging-time 150

set query-interval 200

end

Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports are sent to:

config switch vlan

edit 100

set mld-snooping {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

next

end

For example:

config switch vlan

edit 100

set mld-snooping enable

set mld-snooping-querier enable

set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5

next

end