Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Support IGMP Snooping (Wireless) 6.4.3

Enabling IGMP snooping on a SSID allows the wireless controller to detect which FortiAP(s) have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

IGMP snooping on SSID can prevent WiFi clients/hosts from receiving traffic for a multicast group they have not explicitly joined. Upon detecting clients' multicast group IDs, FortiAPs join the corresponding multicast groups and the controller sends multicast packets to only CAPWAP multicast groups. Thus, the controller can prune multicast traffic from managed FortiAPs that do not contain a multicast listener (an IGMP client).

FortiGate and FortiWiFi have managed some FortiAP units that are broadcasting the same SSID with IGMP snooping enabled. Some multicast clients and non-multicast clients have been associated with the SSID.

To enable or disable IGMP snooping in the CLI:
config wireless-controller vap
    edit "test"
        set igmp-snooping {enable | disable}
    next
end
To debug IGMP snooping:
diagnose wireless-controller wlac -c vap-mcgrp

Example

In the example below, the VAP named smart_test (igmp snooping enabled) is applied to two FortiAPs, FAP U-223 and FAP-423E respectively. In our test scenario we have Multicast Server on the wired side and multicast hosts are connected to VAP smart_test, beaconing from FAP 423E.

Note that there are no multicast clients for smart_test connected to FAPU223E. The multicast stream address used in the test is 235.1.1.1, other addresses which appear in the multicast table output are well-know multicast addresses.

To view hosts receiving the multicast traffic in the CLI:
  1. Debug IGMP snooping:
    # diagnose wireless-controller wlac -c ws
    -------------------------------WTP SESSION    1----------------------------
    WTP session             : 0-39.1.1.2:5246    CWAS_RUN
    Ctrl in_ifIdx       : 14/port6
    indev          : 14/port6
    Data in_ifIdx       : 14/port6
    indev          : 0/
    mesh uplink         : ethernet
    id                  : PU223ETF18003869
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 2
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff
    session_id          : 19aa6b160c33edae329053a0259fd02b
    ehapd cfg           : done
    message queue       : 0/128 max 100
    tId_10_sec          : 177810
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
    Radio 1            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       00:0c:e6:6e:dd:65   lsw              smart_test       Config success State RUN
    Radio 2            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       00:0c:e6:6e:dd:71   lsw              smart_test       Config success State RUN
    Radio 3            : Not Exist
    Radio 4            : Not Exist
    Radio 5            : Not Exist
    -------------------------------WTP SESSION    2----------------------------
    WTP session             : 0-15.5.5.1:5246    CWAS_RUN
    Ctrl in_ifIdx       : 97/vlan55
    indev          : 97/vlan55
    Data in_ifIdx       : 97/vlan55
    indev          : 0/
    mesh uplink         : ethernet
    id                  : FP423E3X17000357
    mgmt_vlanid         : 55
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 6
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff
    session_id          : 1425837710fd85f132fc718424a514f0
    ehapd cfg           : done
    message queue       : 0/128 max 18
    tId_10_sec          : 177811
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
    Radio 1            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       90:6c:ac:fa:9a:38   lsw              smart_test       Config success State RUN
    Radio 2            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       90:6c:ac:fa:9a:40   lsw              smart_test       Config success State RUN
    Radio 3            : Virtual Lan AP
    wlan cfg            :
    Radio 4            : Not Exist
    Radio 5            : Not Exist
  2. When the hosts join the multicast group through FAP-423E, Fortigate registers the intended hosts for multicasts as shown by the CLI debug below:
    90672.765 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
    90672.765 cwAc_mcgrp_sta_add6: sta 50:1a:c5:e9:0b:b3 add ff02::1:ff53:c177
    90672.766 cwAc_mcgrp_vap_add6: wtp FP423E3X17000357 radio 0 wlan 0 bssid 90:6c:ac:fa:9a:38 add ff02::1:ff53:c177
    90673.449 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
    90673.449 cwAc_mcgrp_sta_add4: sta 50:1a:c5:e9:0b:b3 add 224.0.0.252
    90673.449 cwAc_mcgrp_vap_add4: wtp FP423E3X17000357 radio 0 wlan 0 bssid 90:6c:ac:fa:9a:38 add 224.0.0.252
    90673.450 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
  3. The FortiAP output shows in detail the hosts that are receiving the multicast traffic.
    FortiAP-423E # cw_diag -c mcgrp 
    Interface wlan00:
        IPv4 mcast group: total 2
            224.0.0.252
            239.255.255.250
        STA 50:1a:c5:e9:0b:b3 mcast group: total 2
            224.0.0.252
            239.255.255.250
        IPv6 mcast group: total 1
            ff02::1:ff53:c177
        STA 50:1a:c5:e9:0b:b3 mcast group: total 1
            ff02::1:ff53:c177
    Interface wlan10:
        IPv4 mcast group: total 4
            235.1.1.1
            239.255.255.250
            235.80.68.83
            239.83.100.109
        STA 58:00:e3:98:d1:c7 mcast group: total 3
            239.255.255.250
            235.80.68.83
            239.83.100.109
        STA d4:53:83:79:28:66 mcast group: total 1
            235.1.1.1
        IPv6 mcast group: total 3
            ff02::1:ff79:2866
            ff02::1:ff84:e0f6
            ff02::1:ff7d:1760
        STA 58:00:e3:98:d1:c7 mcast group: total 1
            ff02::1:ff84:e0f6
        STA 68:e7:c2:df:2f:df mcast group: total 1
            ff02::1:ff7d:1760
        STA d4:53:83:79:28:66 mcast group: total 1
            ff02::1:ff79:2866

Support IGMP Snooping (Wireless) 6.4.3

Enabling IGMP snooping on a SSID allows the wireless controller to detect which FortiAP(s) have IGMP clients. The wireless controller will only forward a multicast stream to the FortiAP where there is a listener for the multicast group.

IGMP snooping on SSID can prevent WiFi clients/hosts from receiving traffic for a multicast group they have not explicitly joined. Upon detecting clients' multicast group IDs, FortiAPs join the corresponding multicast groups and the controller sends multicast packets to only CAPWAP multicast groups. Thus, the controller can prune multicast traffic from managed FortiAPs that do not contain a multicast listener (an IGMP client).

FortiGate and FortiWiFi have managed some FortiAP units that are broadcasting the same SSID with IGMP snooping enabled. Some multicast clients and non-multicast clients have been associated with the SSID.

To enable or disable IGMP snooping in the CLI:
config wireless-controller vap
    edit "test"
        set igmp-snooping {enable | disable}
    next
end
To debug IGMP snooping:
diagnose wireless-controller wlac -c vap-mcgrp

Example

In the example below, the VAP named smart_test (igmp snooping enabled) is applied to two FortiAPs, FAP U-223 and FAP-423E respectively. In our test scenario we have Multicast Server on the wired side and multicast hosts are connected to VAP smart_test, beaconing from FAP 423E.

Note that there are no multicast clients for smart_test connected to FAPU223E. The multicast stream address used in the test is 235.1.1.1, other addresses which appear in the multicast table output are well-know multicast addresses.

To view hosts receiving the multicast traffic in the CLI:
  1. Debug IGMP snooping:
    # diagnose wireless-controller wlac -c ws
    -------------------------------WTP SESSION    1----------------------------
    WTP session             : 0-39.1.1.2:5246    CWAS_RUN
    Ctrl in_ifIdx       : 14/port6
    indev          : 14/port6
    Data in_ifIdx       : 14/port6
    indev          : 0/
    mesh uplink         : ethernet
    id                  : PU223ETF18003869
    mgmt_vlanid         : 0
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 2
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff
    session_id          : 19aa6b160c33edae329053a0259fd02b
    ehapd cfg           : done
    message queue       : 0/128 max 100
    tId_10_sec          : 177810
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
    Radio 1            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       00:0c:e6:6e:dd:65   lsw              smart_test       Config success State RUN
    Radio 2            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       00:0c:e6:6e:dd:71   lsw              smart_test       Config success State RUN
    Radio 3            : Not Exist
    Radio 4            : Not Exist
    Radio 5            : Not Exist
    -------------------------------WTP SESSION    2----------------------------
    WTP session             : 0-15.5.5.1:5246    CWAS_RUN
    Ctrl in_ifIdx       : 97/vlan55
    indev          : 97/vlan55
    Data in_ifIdx       : 97/vlan55
    indev          : 0/
    mesh uplink         : ethernet
    id                  : FP423E3X17000357
    mgmt_vlanid         : 55
    wtp_wanlan_mode     : wan-only
    refcnt              : 9
    deleted             : no
    plain_ctl           : disabled
    wtp-mode            : normal
    wtp-report-index    : 6
    data-chan-sec       : clear-text
    ctl-msg-offload     : ac=01ff/wtp_loc=01ff/wtp_rem=01ff/oper=01ff
    session_id          : 1425837710fd85f132fc718424a514f0
    ehapd cfg           : done
    message queue       : 0/128 max 18
    tId_10_sec          : 177811
    Ekahau              : disabled
    Aeroscout           : disabled
    FortiPresence       : disabled
    Radio 1            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       90:6c:ac:fa:9a:38   lsw              smart_test       Config success State RUN
    Radio 2            : AP
    wlan cfg            : smart_test
    vap-01(1)         : smart_test       90:6c:ac:fa:9a:40   lsw              smart_test       Config success State RUN
    Radio 3            : Virtual Lan AP
    wlan cfg            :
    Radio 4            : Not Exist
    Radio 5            : Not Exist
  2. When the hosts join the multicast group through FAP-423E, Fortigate registers the intended hosts for multicasts as shown by the CLI debug below:
    90672.765 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
    90672.765 cwAc_mcgrp_sta_add6: sta 50:1a:c5:e9:0b:b3 add ff02::1:ff53:c177
    90672.766 cwAc_mcgrp_vap_add6: wtp FP423E3X17000357 radio 0 wlan 0 bssid 90:6c:ac:fa:9a:38 add ff02::1:ff53:c177
    90673.449 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
    90673.449 cwAc_mcgrp_sta_add4: sta 50:1a:c5:e9:0b:b3 add 224.0.0.252
    90673.449 cwAc_mcgrp_vap_add4: wtp FP423E3X17000357 radio 0 wlan 0 bssid 90:6c:ac:fa:9a:38 add 224.0.0.252
    90673.450 cwAcUpd_vsp_mcgrp_event: mcast group report from FP423E3X17000357 radio 0 wlan 0.
  3. The FortiAP output shows in detail the hosts that are receiving the multicast traffic.
    FortiAP-423E # cw_diag -c mcgrp 
    Interface wlan00:
        IPv4 mcast group: total 2
            224.0.0.252
            239.255.255.250
        STA 50:1a:c5:e9:0b:b3 mcast group: total 2
            224.0.0.252
            239.255.255.250
        IPv6 mcast group: total 1
            ff02::1:ff53:c177
        STA 50:1a:c5:e9:0b:b3 mcast group: total 1
            ff02::1:ff53:c177
    Interface wlan10:
        IPv4 mcast group: total 4
            235.1.1.1
            239.255.255.250
            235.80.68.83
            239.83.100.109
        STA 58:00:e3:98:d1:c7 mcast group: total 3
            239.255.255.250
            235.80.68.83
            239.83.100.109
        STA d4:53:83:79:28:66 mcast group: total 1
            235.1.1.1
        IPv6 mcast group: total 3
            ff02::1:ff79:2866
            ff02::1:ff84:e0f6
            ff02::1:ff7d:1760
        STA 58:00:e3:98:d1:c7 mcast group: total 1
            ff02::1:ff84:e0f6
        STA 68:e7:c2:df:2f:df mcast group: total 1
            ff02::1:ff7d:1760
        STA d4:53:83:79:28:66 mcast group: total 1
            ff02::1:ff79:2866