Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Configuring IGMP-snooping settings

You need to configure global IGMP-snooping settings and IGMP-snooping settings on a FortiSwitch unit before configuring the IGMP-snooping proxy and IGMP-snooping querier.

Note

You cannot use IGMP snooping when network access control (NAC) has been enabled on a global scale with set mode global under the config switch-controller nac-settings command.

This section covers the following topics:

Configuring global IGMP-snooping settings

Use the following commands to configure the global IGMP-snooping settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configuring IGMP-snooping settings on a switch

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and igmps-flood-traffic options are disabled by default.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set igmps-flood-reports {enable | disable}

set igmps-flood-traffic {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set igmps-flood-reports enable

set igmps-flood-traffic enable

end

end

Configuring the IGMP-snooping proxy

Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit.

By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.

To enable IGMP snooping and the IGMP-snooping proxy:

config system interface

edit <VLAN_interface>

set switch-controller-igmp-snooping enable

set switch-controller-igmp-snooping-proxy enable

next

end

 

For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:

config system interface

edit vlan100

set switch-controller-igmp-snooping enable

set switch-controller-igmp-snooping-proxy enable

next

end

Configuring the IGMP-snooping querier

Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.

If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.

You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.

By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.

You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config igmp-snooping

set local-override enable

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

config vlans

edit <VLAN_interface>

set proxy {disable | enable | global}

set querier enable

set querier-addr <IPv4_address>

set version {2 | 3}

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config igmp-snooping

set local-override enable

set aging-time 1000

set flood-unknown-multicast enable

config vlans

edit vlan100

set proxy disable

set querier enable

set querier-addr 1.2.3.4

set version 3

next

end

end

end

Configuring IGMP-snooping settings

You need to configure global IGMP-snooping settings and IGMP-snooping settings on a FortiSwitch unit before configuring the IGMP-snooping proxy and IGMP-snooping querier.

Note

You cannot use IGMP snooping when network access control (NAC) has been enabled on a global scale with set mode global under the config switch-controller nac-settings command.

This section covers the following topics:

Configuring global IGMP-snooping settings

Use the following commands to configure the global IGMP-snooping settings.

Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.

The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within the VLAN.

config switch-controller igmp-snooping

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

end

Configuring IGMP-snooping settings on a switch

IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmps-flood-reports and igmps-flood-traffic options are disabled by default.

Use the following commands to configure IGMP settings on a FortiSwitch port:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

set igmps-flood-reports {enable | disable}

set igmps-flood-traffic {enable | disable}

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config ports

edit port3

set igmps-flood-reports enable

set igmps-flood-traffic enable

end

end

Configuring the IGMP-snooping proxy

Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit.

By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.

To enable IGMP snooping and the IGMP-snooping proxy:

config system interface

edit <VLAN_interface>

set switch-controller-igmp-snooping enable

set switch-controller-igmp-snooping-proxy enable

next

end

 

For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:

config system interface

edit vlan100

set switch-controller-igmp-snooping enable

set switch-controller-igmp-snooping-proxy enable

next

end

Configuring the IGMP-snooping querier

Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.

If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.

You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.

By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.

You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config igmp-snooping

set local-override enable

set aging-time <15-3600>

set flood-unknown-multicast {enable | disable}

config vlans

edit <VLAN_interface>

set proxy {disable | enable | global}

set querier enable

set querier-addr <IPv4_address>

set version {2 | 3}

next

end

end

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config igmp-snooping

set local-override enable

set aging-time 1000

set flood-unknown-multicast enable

config vlans

edit vlan100

set proxy disable

set querier enable

set querier-addr 1.2.3.4

set version 3

next

end

end

end