Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

MLD snooping

The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the forwarding of IPv6 multicast traffic.

MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not contain a multicast listener.

FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD proxy and MLD querier.

Here is the basic MLD-snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.

Notes

  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The MLD-snooping entries are added based on multicast group IP addresses.
  • Starting with FortiSwitchOS 7.0.0, the following snooping table limits apply:
    FortiSwitch Models Snooping Table Limit
    (values have been rounded)
    FS-1024D and FS-1048D 1,800
    FS-3032D 3,000
    FS-524D, FS-548D, and FS-3032E 6,000
    FS-1048E 8,000

    The listed snooping table limits are “best case” and might not be achievable in real-world environments. With a large number of groups and high activity or high join/leave rates, it takes longer to update the hardware. The default values for MLD snooping are adequate for most environments. For larger scales, additional tuning might be required.

Configuring MLD snooping

Configuring MLD snooping consists of the following major steps:

  1. Configuring MLD snooping on a global level
  2. (Optional) Enabling MLD-snooping options on the interfaces
  3. Configuring MLD snooping on the VLANs
  4. (Optional) Checking the MLD-snooping configuration

Configuring MLD snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch mld-snooping globals

set aging-time <15-3600>

end

 

config switch global

set flood-unknown-multicast {enable | disable}

end

 

For example:

config switch mld-snooping globals

set aging-time 500

end

 

config switch global

set flood-unknown-multicast enable

end

Enabling MLD-snooping options on the interfaces

Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set mld-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

 

For example:

config switch interface

edit port10

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set mld-snooping-flood-reportsenable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

 

Use one of the following commands to clear the learned/configured multicast groups:

  • execute clear switch mld-snooping all

  • execute clear switch mld-snooping group <multicast_IPv6_address>

  • execute clear switch mld-snooping interface <interface_name>

  • execute clear switch mld-snooping vlan <VLAN_ID>

You can combine the commands for more control.

To clear one MLD-snooping group from one VLAN for all interfaces:

execute clear switch mld-snooping group ff3f::1 100

To clear one MLD-snooping group from one VLAN on one interface:

execute clear switch mld-snooping group ff3f::1 100 port1

To clear all MLD-snooping groups from one interface for one VLAN:

execute clear switch mld-snooping interface port1 100

Configuring MLD snooping on the VLANs

Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for MLD static groups:

  • The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
  • The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for MLD static groups.

You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.

Using the CLI:

config switch vlan

edit <vlan-id>

set mld-snooping {enable |disable}

set mld-snooping-proxy {enable | disable}

config mld-snooping-static-group

edit <group-name>

set mcast-addr <IPv6_multicast_address>

set members <interface_name1> <interface_name2>...

next

end

next

end

 

For example:

config switch vlan

edit 30

set mld-snooping enable

config mld-snooping-static-group

edit g239-1-1-1

set mcast-addr FF3E::1

set members port2 port5 port28

next

end

next

end

Checking the MLD-snooping configuration

Use the following commands to display information about MLD snooping:

# get switch mld-snooping {globals | group | static-group | status}

 

  • globals: display the MLD-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of MLD-snooping VLANs and group

Configuring the MLD querier

To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a specific VLAN. Optionally, you can specify the address for the MLD querier.

Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.

config switch mld-snooping globals

set query-interval <10-1200>

end

 

For example:

config switch mld-snooping globals

set aging-time 150

set query-interval 200

end

 

Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports are sent to:

config switch vlan

edit 100

set mld-snooping {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

next

end

 

For example:

config switch vlan

edit 100

set mld-snooping enable

set mld-snooping-querier enable

set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5

next

end

MLD snooping

The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the forwarding of IPv6 multicast traffic.

MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not contain a multicast listener.

FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD proxy and MLD querier.

Here is the basic MLD-snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.

Notes

  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The MLD-snooping entries are added based on multicast group IP addresses.
  • Starting with FortiSwitchOS 7.0.0, the following snooping table limits apply:
    FortiSwitch Models Snooping Table Limit
    (values have been rounded)
    FS-1024D and FS-1048D 1,800
    FS-3032D 3,000
    FS-524D, FS-548D, and FS-3032E 6,000
    FS-1048E 8,000

    The listed snooping table limits are “best case” and might not be achievable in real-world environments. With a large number of groups and high activity or high join/leave rates, it takes longer to update the hardware. The default values for MLD snooping are adequate for most environments. For larger scales, additional tuning might be required.

Configuring MLD snooping

Configuring MLD snooping consists of the following major steps:

  1. Configuring MLD snooping on a global level
  2. (Optional) Enabling MLD-snooping options on the interfaces
  3. Configuring MLD snooping on the VLANs
  4. (Optional) Checking the MLD-snooping configuration

Configuring MLD snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch mld-snooping globals

set aging-time <15-3600>

end

 

config switch global

set flood-unknown-multicast {enable | disable}

end

 

For example:

config switch mld-snooping globals

set aging-time 500

end

 

config switch global

set flood-unknown-multicast enable

end

Enabling MLD-snooping options on the interfaces

Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set mld-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

 

For example:

config switch interface

edit port10

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set mld-snooping-flood-reportsenable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set mld-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

 

Use one of the following commands to clear the learned/configured multicast groups:

  • execute clear switch mld-snooping all

  • execute clear switch mld-snooping group <multicast_IPv6_address>

  • execute clear switch mld-snooping interface <interface_name>

  • execute clear switch mld-snooping vlan <VLAN_ID>

You can combine the commands for more control.

To clear one MLD-snooping group from one VLAN for all interfaces:

execute clear switch mld-snooping group ff3f::1 100

To clear one MLD-snooping group from one VLAN on one interface:

execute clear switch mld-snooping group ff3f::1 100 port1

To clear all MLD-snooping groups from one interface for one VLAN:

execute clear switch mld-snooping interface port1 100

Configuring MLD snooping on the VLANs

Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for MLD static groups:

  • The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
  • The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for MLD static groups.

You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.

Using the CLI:

config switch vlan

edit <vlan-id>

set mld-snooping {enable |disable}

set mld-snooping-proxy {enable | disable}

config mld-snooping-static-group

edit <group-name>

set mcast-addr <IPv6_multicast_address>

set members <interface_name1> <interface_name2>...

next

end

next

end

 

For example:

config switch vlan

edit 30

set mld-snooping enable

config mld-snooping-static-group

edit g239-1-1-1

set mcast-addr FF3E::1

set members port2 port5 port28

next

end

next

end

Checking the MLD-snooping configuration

Use the following commands to display information about MLD snooping:

# get switch mld-snooping {globals | group | static-group | status}

 

  • globals: display the MLD-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of MLD-snooping VLANs and group

Configuring the MLD querier

To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a specific VLAN. Optionally, you can specify the address for the MLD querier.

Use the following commands to specify how many seconds are between MLD queries. The default is 125 seconds.

config switch mld-snooping globals

set query-interval <10-1200>

end

 

For example:

config switch mld-snooping globals

set aging-time 150

set query-interval 200

end

 

Use the following commands to enable the MLD querier for a specific VLAN and specify the address that MLD reports are sent to:

config switch vlan

edit 100

set mld-snooping {enable | disable}

set mld-snooping-querier {enable | disable}

set mld-snooping-querier-addr <IPv6_address>

next

end

 

For example:

config switch vlan

edit 100

set mld-snooping enable

set mld-snooping-querier enable

set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5

next

end