MLD snooping
The FortiSwitch unit uses the information passed in Multicast Listener Discovery (MLD) messages to optimize the forwarding of IPv6 multicast traffic.
MLD snooping allows the FortiSwitch unit to passively listen to the MLD network traffic between hosts and multicast routers. The switch uses this information to determine which hosts are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the VLAN by pruning multicast traffic from links that do not contain a multicast listener.
FortiSwitch MLD snooping supports MLD version 1. RFC 2710 describes MLD snooping; RFC 4605 describes MLD proxy and MLD querier.
Here is the basic MLD-snooping operation:
- A host expresses interest in joining a multicast group. (Sends or responds to a join message).
- The FortiSwitch unit creates one table entry per VLAN per multicast group per port.
- The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).
In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request MLD reports. The FortiSwitch unit uses the MLD reports to update the layer-2 forwarding table.
Notes
|
When either IGMP snooping or MLD snooping is enabled in a VLAN, both unknown IPv4 and IPv6 multicast traffic, that is, unregistered multicast traffic, will share the same flooding behavior because of hardware limitations. Unregistered multicast traffic will only be forwarded to multicast IPv4 or IPv6 router ports or a switch interface with If the network has both IPv4 and IPv6 IGMP/MLD hosts, you need to enable both IGMP and MLD snooping on the VLAN if snooping is required in the VLAN, or you need to disable both IGMP and MLD snooping on the VLAN if snooping is not required in the VLAN. |
- Enabling the
set flood-unknown-multicastcommand and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned. - The MLD-snooping entries are added based on multicast group IP addresses.
- Starting with FortiSwitchOS 7.0.0, the following snooping table limits apply:
FortiSwitch Models Snooping Table Limit
(values have been rounded)FS-1024D and FS-1048D 1,800 FS-3032D 3,000 FS-524D, FS-548D, and FS-3032E 6,000 FS-1024E, FS-1048E, and FS-T1024E 8,000 The listed snooping table limits are “best case” and might not be achievable in real-world environments. With a large number of groups and high activity or high join/leave rates, it takes longer to update the hardware. The default values for MLD snooping are adequate for most environments. For larger scales, additional tuning might be required.
Configuring MLD snooping
Configuring MLD snooping consists of the following major steps:
- Configuring MLD snooping on a global level
- (Optional) Enabling MLD-snooping options on the interfaces
- Configuring MLD snooping on the VLANs
- (Optional) Checking the MLD-snooping configuration
Configuring MLD snooping on a global level
By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.
Using the CLI:
config switch mld-snooping globals
set aging-time <15-3600>
end
config switch global
set flood-unknown-multicast {enable | disable}
end
For example:
config switch mld-snooping globals
set aging-time 500
end
config switch global
set flood-unknown-multicast enable
end
Enabling MLD-snooping options on the interfaces
Optional. You can flood MLD reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.
Using the CLI:
config switch interface
edit <port>
set native-vlan <vlan-id>
set mld-snooping-flood-reports {enable | disable}
set mcast-snooping-flood-traffic {enable | disable}
next
end
For example:
config switch interface
edit port10
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port2
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port4
set native-vlan 30
set mld-snooping-flood-reportsenable
set mcast-snooping-flood-traffic enable
next
edit port6
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
edit port8
set native-vlan 30
set mld-snooping-flood-reports enable
set mcast-snooping-flood-traffic enable
next
end
Use one of the following commands to clear the learned/configured multicast groups:
-
execute clear switch mld-snooping all
-
execute clear switch mld-snooping group <multicast_IPv6_address>
-
execute clear switch mld-snooping interface <interface_name>
-
execute clear switch mld-snooping vlan <VLAN_ID>
You can combine the commands for more control.
To clear one MLD-snooping group from one VLAN for all interfaces:
execute clear switch mld-snooping group ff3f::1 100
To clear one MLD-snooping group from one VLAN on one interface:
execute clear switch mld-snooping group ff3f::1 100 port1
To clear all MLD-snooping groups from one interface for one VLAN:
execute clear switch mld-snooping interface port1 100
Configuring MLD snooping on the VLANs
Enable MLD snooping on a specified VLAN and configure MLD static groups. By default, MLD snooping is disabled.
You can define static groups for particular multicast addresses in a VLAN that has MLD snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for MLD static groups:
- The range of well-known IPv6 multicast addresses that cannot be used for static groups is FF00::/12.
- The VLAN must already be assigned as the native VLAN for a switch interface or be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for MLD static groups.
You can also enable the MLD proxy, which allows the VLAN to send MLD reports. After you enable mld-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send MLD reports to the upstream interface. If mld-snooping-fast-leave is disabled, the FortiSwitch unit sends a group-specific query (GSQ) when a leave message is received.
Starting in FortiSwitchOS 7.2.0, you can now configure an MLD static group to ignore requests from other ports to become members. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the CLI; it is disabled by default, which allows other ports to dynamically join.
Using the GUI:
-
Go to Switch > VLAN.
-
Click Add VLAN.
-
In the ID field, enter the VLAN identifier.
-
In the Description field, enter a description for the new VLAN.
-
In the MLD Snooping area, select Enable.
-
Optionally, select MLD Proxy.
-
Optionally, select MLD Querier. If you select MLD Querier, you must enter the querier address in the Querier Address field.
NOTE: The querier address cannot be an IPv6 multicast or loopback address.
-
In the MLD Static Groups area, select + to add an MLD static group.
NOTE: If the VLAN identifier that you entered in step 3 is not already assigned as the native VLAN for an interface and is not included in the range of allowed VLANs for an interface, the + button is not displayed.
-
In the Name field, enter a name for the MLD static group.
-
In the Multicast Address field, enter the multicast address.
NOTE: The multicast address cannot be a reserved multicast address (ff0x::).
-
Select the interfaces to include.
-
Enable Ignore Reports if you want to prevent other ports from becoming members.
-
Select Add to create the new VLAN.
Using the CLI:
config switch vlan
edit <vlan-id>
set mld-snooping {enable |disable}
set mld-snooping-fast-leave {enable |disable}
set mld-snooping-querier {enable |disable}
set mld-snooping-querier-addr <IPv6_MLD_querier_address>
set mld-snooping-proxy {enable | disable}
config mld-snooping-static-group
edit <group-name>
set mcast-addr <IPv6_multicast_address>
set members <interface_name1> <interface_name2>...
set ignore-reports {enable | disable}
next
end
next
end
For example:
config switch vlan
edit 30
set mld-snooping enable
set mld-snooping-fast-leave enable
set mld-snooping-querier enable
set mld-snooping-querier-addr 2001::1
set mld-snooping-proxy disable
config mld-snooping-static-group
edit g239-1-1-1
set mcast-addr FF3E::1
set members port2 port5 port28
set ignore-reports enable
next
end
next
end
Checking the MLD-snooping configuration
Use the following commands to display information about MLD snooping:
# get switch mld-snooping {globals | group | static-group | status}
globals: display the MLD-snooping global configuration on the FortiSwitch unitgroup: display a list of learned multicast groupsstatic-group: display the list of configured MLD static groupsstatus: display the status of MLD-snooping VLANs and group
Configuring the MLD querier
To use the MLD querier, you need to configure how often MLD queries are sent and enable the MLD querier for a specific VLAN.You must specify the address for the MLD querier.
To specify how many seconds are between MLD queries. The default is 125 seconds.
config switch mld-snooping globals
set query-interval <10-1200>
end
For example:
config switch mld-snooping globals
set aging-time 150
set query-interval 200
end
To enable the MLD querier for a specific VLAN and specify the address that MLD reports are sent to:
config switch vlan
edit 100
set mld-snooping {enable | disable}
set mld-snooping-querier {enable | disable}
set mld-snooping-querier-addr <IPv6_address>
next
end
For example:
config switch vlan
edit 100
set mld-snooping enable
set mld-snooping-querier enable
set mld-snooping-querier-addr fe80::a5b:eff:fef1:95e5
next
end