Configuring IGMP-snooping settings
You need to configure global IGMP-snooping settings and IGMP-snooping settings on a FortiSwitch unit before configuring the IGMP-snooping proxy and IGMP-snooping querier.
|
You cannot use IGMP snooping when network access control (NAC) has been enabled on a global scale with |
This section covers the following topics:
- Configuring global IGMP-snooping settings
- Configuring IGMP-snooping settings on a switch
- Configuring the IGMP-snooping proxy
- Configuring the IGMP-snooping querier
Configuring global IGMP-snooping settings
Use the following commands to configure the global IGMP-snooping settings.
Aging time is the maximum number of seconds that the system will retain a multicast snooping entry. Enter an integer value from 15 to 3600. The default value is 300.
The flood-unknown-multicast setting controls whether the system will flood unknown multicast messages within the VLAN.
Starting in FortiOS 7.0.8, use the FortiOS CLI to specify how often the managed FortiSwitch unit will send IGMP version-2 queries when the IGMP-snooping querier is configured. By default, queries are sent every 125 seconds. The value for aging-time must be greater than the value for query-interval.
config switch-controller igmp-snooping
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
set query-interval <10-1200>
end
Configuring IGMP-snooping settings on a switch
IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
NOTE: When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmp-snooping-flood-reports and mcast-snooping-flood-traffic options are disabled by default.
Use the following commands to configure IGMP settings on a FortiSwitch port:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set igmp-snooping-flood-reports {enable | disable}
set mcast-snooping-flood-traffic {enable | disable}
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config ports
edit port3
set igmp-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
end
end
Configuring the IGMP-snooping proxy
Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit.
By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.
To enable IGMP snooping and the IGMP-snooping proxy:
config system interface
edit <VLAN_interface>
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
next
end
For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:
config system interface
edit vlan100
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
next
end
Configuring the IGMP-snooping querier
Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.
If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.
You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.
By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.
You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config igmp-snooping
set local-override enable
set aging-time <15-3600>
set flood-unknown-multicast {enable | disable}
config vlans
edit <VLAN_interface>
set proxy {disable | enable | global}
set querier enable
set querier-addr <IPv4_address>
set version {2 | 3}
next
end
end
end
For example:
config switch-controller managed-switch
edit S524DF4K15000024
config igmp-snooping
set local-override enable
set aging-time 1000
set flood-unknown-multicast enable
config vlans
edit vlan100
set proxy disable
set querier enable
set querier-addr 1.2.3.4
set version 3
next
end
end
end