Fortinet white logo
Fortinet white logo

Administration Guide

IGMP snooping

IGMP snooping

The FortiSwitch unit uses the information passed in IGMP messages to optimize the forwarding of IPv4 multicast traffic.

IGMP snooping allows the FortiSwitch unit to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Essentially, IGMP snooping is a layer-2 optimization for the layer-3 IGMP.

The current version of IGMP is version 3, and the FortiSwitch unit is also compatible with IGMPv1 and IGMPv2.

Starting in FortiSwitchOS 6.4.3, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier is present. The default IGMP querier version is 2.

Here is the basic IGMP snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates an entry in the layer-2 forwarding table (or adds the hostʼs port to an existing entry). The switch creates one table entry per VLAN per multicast group.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request IGMP reports. The FortiSwitch unit uses the IGMP reports to update the layer-2 forwarding table.

NOTE: If you want to use IGMP snooping with an MCLAG, see Configuring an MCLAG with IGMP snooping.

Notes

tooltip icon

When either IGMP snooping or MLD snooping is enabled in a VLAN, both unknown IPv4 and IPv6 multicast traffic, that is, unregistered multicast traffic, will share the same flooding behavior because of hardware limitations. Unregistered multicast traffic will only be forwarded to multicast IPv4 or IPv6 router ports or a switch interface with mcast-snooping-flood-traffic enabled.

If the network has both IPv4 and IPv6 IGMP/MLD hosts, you need to enable both IGMP and MLD snooping on the VLAN if snooping is required in the VLAN, or you need to disable both IGMP and MLD snooping on the VLAN if snooping is not required in the VLAN.

  • Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.
  • Platforms that support MAC-based IGMP snooping might convert IGMP IP groups to MAC addresses in hardware, and sometimes the IGMP IP groups might collapse to the same MAC addresses. Even so, the maximum number of supported IGMP groups is still the maximum number of IGMP IP groups. Counting the number of IGMP IP groups allows consistency across all platforms, as well as reporting the conservative worst-case numbers. To view the maximum supported IGMP groups, use the get switch igmp-snooping status command and then check the value of the Max IGMP snooping groups field.
  • To make well-known multicast packets, such as mDNS, flood to all ports when IGMP snooping is enabled on FSR-112D-POE, you need to make the following configuration change.

    In 6.2.x through 6.4.2 GA:

    config switch igmp-snooping globals

    set flood-unknown-multicast enable

    end

    In 6.4.3 GA and later:

    config switch global

    set flood-unknown-multicast enable

    end

  • On the FS-100E series, IGMP snooping can be enabled on a maximum of 6 VLANs.
  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The IGMP groupʼs source address(es) in the IGMPv3 report are not considered.
  • The IGMP snooping entries are added based on multicast group MAC addresses.
  • When IGMP snooping is enabled on a VLAN on the FSR-112D-POE model:
    • All IPv6 multicast and any non-IP multicast are forwarded to querier ports only instead of getting flooded on the VLAN. The forwarding of IPv6 to the CPU is unchanged.
    • IPv4 reserved multicast is flooded to the VLAN and not forwarded to the CPU, even if the CPU is part of the VLAN.
    • Unregistered IPv4 multicast is forwarded to querier ports only.
    • If IPv6 multicast and/or non-IP multicast is expected to be forwarded to any ports other than querier ports, the mcast-snooping-flood-traffic setting can be enabled on the required ports.

  • Starting with FortiSwitchOS 6.4.0, when an inter-switch link (ISL) is formed automatically, the igmp-snooping-flood-reports and mcast-snooping-flood-traffic options are disabled by default.
  • Proxy reporting is not supported for IGMPv3.
  • Explicit host tracking is not supported.
  • Immediate leave for IGMPv3 is not supported.
  • Starting with FortiSwitchOS 7.0.0, the following snooping table limits apply:

    FortiSwitch ModelsSnooping Table Limit
    (values have been rounded)
    FS-108E and FS-124E500
    FSR-112D-POE, FS-124F, FS-148E, FS-148F, FS-224E, FS-248D, FS-248E, FS-424D, FS-424E, FS-424E-Fiber, FS-426E, FS-448D, FS-448E1,000
    FS-1024D and FS-1048D4,000
    FS-3032D6,000
    FS-524D, FS-548D, FS-1024E, FS-1048E, FS-T1024E, and FS-3032E8,000

    The listed snooping table limits are “best case” and might not be achievable in real-world environments. With a large number of groups and high activity or high join/leave rates, it takes longer to update the hardware. The default values for IGMP snooping are adequate for most environments. For larger scales, additional tuning might be required.

    Until FortiSwitchOS 3.5.1, the table limits were hardware only. The software limit for all platforms was 8192.

  • When the IGMP proxy is enabled, the proxy report and proxy leave use the IP address 0.0.0.0. IGMP group-specific queries sent by the proxy use the internal querierʼs IP address if it is configured.

Configuring IGMP snooping

Follow these steps to configure IGMP snooping:

  1. Configuring IGMP snooping on a global level
  2. (Optional) Enabling IGMP-snooping options on the interfaces
  3. Configuring IGMP snooping on the VLANs
  4. (Optional) Checking the IGMP-snooping configuration

Configuring IGMP snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch igmp-snooping globals

set aging-time <15-3600>

end

config switch global

set flood-unknown-multicast {enable | disable}

end

For example:

config switch igmp-snooping globals

set aging-time 500

end

config switch global

set flood-unknown-multicast enable

end

Enabling IGMP-snooping options on the interfaces

Optional. You can flood IGMP reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the GUI:
  1. Go to Switch > Interfaces.
  2. Select an interface.
  3. Click Edit.
  4. Under IGMP Snooping, select Flood Reports, Flood Traffic, or both if needed.
  5. Click Update.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set igmp-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

For example:

config switch interface

edit port10

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

Use one of the following commands to clear the learned/configured multicast groups:

  • execute clear switch igmp-snooping all

  • execute clear switch igmp-snooping group <multicast_IPv4_address>

  • execute clear switch igmp-snooping interface <interface_name>

  • execute clear switch igmp-snooping vlan <VLAN_ID>

You can combine the commands for more control.

To clear one IGMP-snooping group from one VLAN for all interfaces:

execute clear switch igmp-snooping group 1.2.3.4 100

To clear one IGMP-snooping group from one VLAN on one interface:

execute clear switch igmp-snooping group 1.2.3.4 100 port1

To clear all IGMP-snooping groups from one interface for one VLAN:

execute clear switch igmp-snooping interface port1 100

Configuring IGMP snooping on the VLANs

Enable IGMP snooping on a specified VLAN and configure IGMP static groups. By default, IGMP snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has IGMP snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for IGMP static groups:

  • The range of multicast addresses (mcast-addr) from 224.0.0.1 to 224.0.0.255 cannot be used.
  • The VLAN must already be assigned as the native VLAN for a switch interface and be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for IGMP static groups.

Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP reports. After you enable igmp-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to the upstream interface.

Starting in FortiSwitchOS 7.2.0, you can now configure an IGMP static group to ignore requests from other ports to become members. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the GUI and CLI; it is disabled by default, which allows other ports to dynamically join.

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. In the ID field, enter the VLAN identifier.
  4. In the Description field, enter a description for the new VLAN.
  5. Under IGMP Snooping, select Enable.
  6. Optionally, select IGMP Proxy.
  7. Optionally, select IGMP Querier. If you select IGMP Querier, you must enter the primary server address in the Primary Server field. You can also select the IGMP-snooping querier version 2 or 3.
  8. Under IGMP Static Groups, select + to add an IGMP static group.
    NOTE: If the VLAN identifier that you entered in step 3 is not already assigned as the native VLAN for an interface and is not included in the range of allowed VLANs for an interface, the + button is not displayed.
  9. In the Name field, enter a name for the IGMP static group.
  10. In the Multicast Address field, enter the multicast address.
  11. Select the interfaces to include.
  12. Enable Ignore Reports if you want to prevent other ports from becoming members.
  13. Select Update to create the new VLAN.
Using the CLI:

config switch vlan

edit <vlan-id>

set igmp-snooping {enable |disable}

set igmp-snooping-proxy {enable | disable}

set igmp-snooping-fast-leave {enable | disable}

config igmp-snooping-static-group

edit <group-name>

set mcast-addr <IPv4_multicast_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

next

end

next

end

For example, to configure two static groups for the same VLAN:

config switch vlan

edit 30

set igmp-snooping enable

config igmp-snooping-static-group

edit g239-1-1-1

set mcast-addr 239.1.1.1

set members port2 port5 port28

set ignore-reports enable

next

edit g239-2-2-2

set mcast-addr 239.2.2.2

set members port5 port10 trunk-1

set ignore-reports enable

next

end

next

end

Checking the IGMP-snooping configuration

To display information about IGMP snooping:

# get switch igmp-snooping {globals | group | static-group | status}

  • globals: display the IGMP-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of IGMP-snooping VLANs and group
To view the learned multicast groups in the GUI:

Go to Switch > Monitor > IGMP Snooping.

To view the learned multicast groups in the CLI:

FS1D243Z13000023 # get switch igmp-snooping group

Number of Groups: 7

port of-port VLAN GROUP Age

(__port__9) 1 23 231.8.5.4 16

(__port__9) 1 23 231.8.5.5 16

(__port__9) 1 23 231.8.5.6 16

(__port__9) 1 23 231.8.5.7 16

(__port__9) 1 23 231.8.5.8 16

(__port__9) 1 23 231.8.5.9 16

(__port__9) 1 23 231.8.5.10 16

(__port__43) 3 23 querier 17

(__port__14) 8 --- flood-reports ---

(__port__10) 2 --- flood-traffic ---

To display the list of configured static groups:

FS1D243Z13000023 # get switch igmp-snooping static-group

VLAN ID Group-Name Multicast-addr Member-interface

_______ ______________ _______________ _________________________

11 g239-1 239:1:1:1 port6 trunk-2

11 g239-11 239:2:2:11 port26 port48 trunk-2

40 g239-1 239:1:1:1 port5 port25 trunk-2

40 g239-2 239:2:2:2 port25 port26

Configuring the IGMP querier

To use the IGMP querier, you need to configure how often IGMP queries are sent and enable the IGMP querier for a specific VLAN. By default, IGMP queries are sent every 120 seconds. You must specify the address for the IGMP querier.

To specify how many seconds are between IGMP queries:

config switch igmp-snooping globals

set query-interval <10-1200>

end

For example:

config switch igmp-snooping globals

set aging-time 300

set query-interval 125

end

To enable the IGMP querier for a specific VLAN and specify the address that IGMP reports are sent to:

config switch vlan

edit 100

set igmp-snooping {enable | disable}

set igmp-snooping-querier {enable | disable}

set igmp-snooping-querier-addr <IPv4_address>

set igmp-snooping-querier-version {2 | 3}

next

end

For example:

config switch vlan

edit 100

set igmp-snooping enable

set igmp-snooping-querier enable

set igmp-snooping-querier-addr 1.2.3.4

set igmp-snooping-querier-version 3

next

end

Configuring mRouter ports

NOTE: These settings are not per-VLAN, so the port will act as a querier/mRouter port for all of its associated VLANs.

To configure a FortiSwitch port as an mRouter port:

config switch interface

edit <port>

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

IGMP snooping

IGMP snooping

The FortiSwitch unit uses the information passed in IGMP messages to optimize the forwarding of IPv4 multicast traffic.

IGMP snooping allows the FortiSwitch unit to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. The FortiSwitch unit can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.

Essentially, IGMP snooping is a layer-2 optimization for the layer-3 IGMP.

The current version of IGMP is version 3, and the FortiSwitch unit is also compatible with IGMPv1 and IGMPv2.

Starting in FortiSwitchOS 6.4.3, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the FortiSwitch unit will send IGMP queries version 2 when no external querier is present. When the IGMP querier version 3 is configured, the FortiSwitch unit will send IGMP queries version 3 when no external querier is present. The default IGMP querier version is 2.

Here is the basic IGMP snooping operation:

  1. A host expresses interest in joining a multicast group. (Sends or responds to a join message).
  2. The FortiSwitch unit creates an entry in the layer-2 forwarding table (or adds the hostʼs port to an existing entry). The switch creates one table entry per VLAN per multicast group.
  3. The FortiSwitch unit removes the entry when the last host leaves the group (or when the entry ages out).

In addition, you can configure the FortiSwitch unit to send periodic queries from all ports in a specific VLAN to request IGMP reports. The FortiSwitch unit uses the IGMP reports to update the layer-2 forwarding table.

NOTE: If you want to use IGMP snooping with an MCLAG, see Configuring an MCLAG with IGMP snooping.

Notes

tooltip icon

When either IGMP snooping or MLD snooping is enabled in a VLAN, both unknown IPv4 and IPv6 multicast traffic, that is, unregistered multicast traffic, will share the same flooding behavior because of hardware limitations. Unregistered multicast traffic will only be forwarded to multicast IPv4 or IPv6 router ports or a switch interface with mcast-snooping-flood-traffic enabled.

If the network has both IPv4 and IPv6 IGMP/MLD hosts, you need to enable both IGMP and MLD snooping on the VLAN if snooping is required in the VLAN, or you need to disable both IGMP and MLD snooping on the VLAN if snooping is not required in the VLAN.

  • Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.
  • Platforms that support MAC-based IGMP snooping might convert IGMP IP groups to MAC addresses in hardware, and sometimes the IGMP IP groups might collapse to the same MAC addresses. Even so, the maximum number of supported IGMP groups is still the maximum number of IGMP IP groups. Counting the number of IGMP IP groups allows consistency across all platforms, as well as reporting the conservative worst-case numbers. To view the maximum supported IGMP groups, use the get switch igmp-snooping status command and then check the value of the Max IGMP snooping groups field.
  • To make well-known multicast packets, such as mDNS, flood to all ports when IGMP snooping is enabled on FSR-112D-POE, you need to make the following configuration change.

    In 6.2.x through 6.4.2 GA:

    config switch igmp-snooping globals

    set flood-unknown-multicast enable

    end

    In 6.4.3 GA and later:

    config switch global

    set flood-unknown-multicast enable

    end

  • On the FS-100E series, IGMP snooping can be enabled on a maximum of 6 VLANs.
  • Enabling the set flood-unknown-multicast command and then disabling it disrupts the forwarding of unknown multicast traffic to mRouter ports for a short period, depending on the query interval, because the mRouter ports need to be relearned.
  • The IGMP groupʼs source address(es) in the IGMPv3 report are not considered.
  • The IGMP snooping entries are added based on multicast group MAC addresses.
  • When IGMP snooping is enabled on a VLAN on the FSR-112D-POE model:
    • All IPv6 multicast and any non-IP multicast are forwarded to querier ports only instead of getting flooded on the VLAN. The forwarding of IPv6 to the CPU is unchanged.
    • IPv4 reserved multicast is flooded to the VLAN and not forwarded to the CPU, even if the CPU is part of the VLAN.
    • Unregistered IPv4 multicast is forwarded to querier ports only.
    • If IPv6 multicast and/or non-IP multicast is expected to be forwarded to any ports other than querier ports, the mcast-snooping-flood-traffic setting can be enabled on the required ports.

  • Starting with FortiSwitchOS 6.4.0, when an inter-switch link (ISL) is formed automatically, the igmp-snooping-flood-reports and mcast-snooping-flood-traffic options are disabled by default.
  • Proxy reporting is not supported for IGMPv3.
  • Explicit host tracking is not supported.
  • Immediate leave for IGMPv3 is not supported.
  • Starting with FortiSwitchOS 7.0.0, the following snooping table limits apply:

    FortiSwitch ModelsSnooping Table Limit
    (values have been rounded)
    FS-108E and FS-124E500
    FSR-112D-POE, FS-124F, FS-148E, FS-148F, FS-224E, FS-248D, FS-248E, FS-424D, FS-424E, FS-424E-Fiber, FS-426E, FS-448D, FS-448E1,000
    FS-1024D and FS-1048D4,000
    FS-3032D6,000
    FS-524D, FS-548D, FS-1024E, FS-1048E, FS-T1024E, and FS-3032E8,000

    The listed snooping table limits are “best case” and might not be achievable in real-world environments. With a large number of groups and high activity or high join/leave rates, it takes longer to update the hardware. The default values for IGMP snooping are adequate for most environments. For larger scales, additional tuning might be required.

    Until FortiSwitchOS 3.5.1, the table limits were hardware only. The software limit for all platforms was 8192.

  • When the IGMP proxy is enabled, the proxy report and proxy leave use the IP address 0.0.0.0. IGMP group-specific queries sent by the proxy use the internal querierʼs IP address if it is configured.

Configuring IGMP snooping

Follow these steps to configure IGMP snooping:

  1. Configuring IGMP snooping on a global level
  2. (Optional) Enabling IGMP-snooping options on the interfaces
  3. Configuring IGMP snooping on the VLANs
  4. (Optional) Checking the IGMP-snooping configuration

Configuring IGMP snooping on a global level

By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds. By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

Using the CLI:

config switch igmp-snooping globals

set aging-time <15-3600>

end

config switch global

set flood-unknown-multicast {enable | disable}

end

For example:

config switch igmp-snooping globals

set aging-time 500

end

config switch global

set flood-unknown-multicast enable

end

Enabling IGMP-snooping options on the interfaces

Optional. You can flood IGMP reports and flood multicast traffic on a specified switch interface. By default, these options are disabled.

Using the GUI:
  1. Go to Switch > Interfaces.
  2. Select an interface.
  3. Click Edit.
  4. Under IGMP Snooping, select Flood Reports, Flood Traffic, or both if needed.
  5. Click Update.
Using the CLI:

config switch interface

edit <port>

set native-vlan <vlan-id>

set igmp-snooping-flood-reports {enable | disable}

set mcast-snooping-flood-traffic {enable | disable}

next

end

For example:

config switch interface

edit port10

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port2

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port4

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port6

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

edit port8

set native-vlan 30

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end

Use one of the following commands to clear the learned/configured multicast groups:

  • execute clear switch igmp-snooping all

  • execute clear switch igmp-snooping group <multicast_IPv4_address>

  • execute clear switch igmp-snooping interface <interface_name>

  • execute clear switch igmp-snooping vlan <VLAN_ID>

You can combine the commands for more control.

To clear one IGMP-snooping group from one VLAN for all interfaces:

execute clear switch igmp-snooping group 1.2.3.4 100

To clear one IGMP-snooping group from one VLAN on one interface:

execute clear switch igmp-snooping group 1.2.3.4 100 port1

To clear all IGMP-snooping groups from one interface for one VLAN:

execute clear switch igmp-snooping interface port1 100

Configuring IGMP snooping on the VLANs

Enable IGMP snooping on a specified VLAN and configure IGMP static groups. By default, IGMP snooping is disabled.

You can define static groups for particular multicast addresses in a VLAN that has IGMP snooping enabled. You can specify multiple ports in the static group, separated by a space. The trunk interface can also be included in a static group. There are two restrictions for IGMP static groups:

  • The range of multicast addresses (mcast-addr) from 224.0.0.1 to 224.0.0.255 cannot be used.
  • The VLAN must already be assigned as the native VLAN for a switch interface and be included in the range of allowed VLANs for a switch interface. You can check the Physical Port Interfaces page to see which VLANs can be used for IGMP static groups.

Starting in FortiSwitchOS 6.2.0, you can also use the CLI to enable IGMP proxy, which allows the VLAN to send IGMP reports. After you enable igmp-snooping-proxy on a VLAN, it will start suppressing reports and leave messages. For each multicast group, only one report is sent to the upstream interface. When a leave message is received, the FortiSwitch unit will only send the leave message to the upstream interface when there are no more members left in the multicast group. The FortiSwitch unit will also reply to generic queries and will send IGMP reports to the upstream interface.

Starting in FortiSwitchOS 7.2.0, you can now configure an IGMP static group to ignore requests from other ports to become members. Preventing other ports from joining means that administrators control which ports receive traffic. This option is available in the GUI and CLI; it is disabled by default, which allows other ports to dynamically join.

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. In the ID field, enter the VLAN identifier.
  4. In the Description field, enter a description for the new VLAN.
  5. Under IGMP Snooping, select Enable.
  6. Optionally, select IGMP Proxy.
  7. Optionally, select IGMP Querier. If you select IGMP Querier, you must enter the primary server address in the Primary Server field. You can also select the IGMP-snooping querier version 2 or 3.
  8. Under IGMP Static Groups, select + to add an IGMP static group.
    NOTE: If the VLAN identifier that you entered in step 3 is not already assigned as the native VLAN for an interface and is not included in the range of allowed VLANs for an interface, the + button is not displayed.
  9. In the Name field, enter a name for the IGMP static group.
  10. In the Multicast Address field, enter the multicast address.
  11. Select the interfaces to include.
  12. Enable Ignore Reports if you want to prevent other ports from becoming members.
  13. Select Update to create the new VLAN.
Using the CLI:

config switch vlan

edit <vlan-id>

set igmp-snooping {enable |disable}

set igmp-snooping-proxy {enable | disable}

set igmp-snooping-fast-leave {enable | disable}

config igmp-snooping-static-group

edit <group-name>

set mcast-addr <IPv4_multicast_address>

set members <interface_name1> <interface_name2>...

set ignore-reports {enable | disable}

next

end

next

end

For example, to configure two static groups for the same VLAN:

config switch vlan

edit 30

set igmp-snooping enable

config igmp-snooping-static-group

edit g239-1-1-1

set mcast-addr 239.1.1.1

set members port2 port5 port28

set ignore-reports enable

next

edit g239-2-2-2

set mcast-addr 239.2.2.2

set members port5 port10 trunk-1

set ignore-reports enable

next

end

next

end

Checking the IGMP-snooping configuration

To display information about IGMP snooping:

# get switch igmp-snooping {globals | group | static-group | status}

  • globals: display the IGMP-snooping global configuration on the FortiSwitch unit
  • group: display a list of learned multicast groups
  • static-group: display the list of configured static groups
  • status: display the status of IGMP-snooping VLANs and group
To view the learned multicast groups in the GUI:

Go to Switch > Monitor > IGMP Snooping.

To view the learned multicast groups in the CLI:

FS1D243Z13000023 # get switch igmp-snooping group

Number of Groups: 7

port of-port VLAN GROUP Age

(__port__9) 1 23 231.8.5.4 16

(__port__9) 1 23 231.8.5.5 16

(__port__9) 1 23 231.8.5.6 16

(__port__9) 1 23 231.8.5.7 16

(__port__9) 1 23 231.8.5.8 16

(__port__9) 1 23 231.8.5.9 16

(__port__9) 1 23 231.8.5.10 16

(__port__43) 3 23 querier 17

(__port__14) 8 --- flood-reports ---

(__port__10) 2 --- flood-traffic ---

To display the list of configured static groups:

FS1D243Z13000023 # get switch igmp-snooping static-group

VLAN ID Group-Name Multicast-addr Member-interface

_______ ______________ _______________ _________________________

11 g239-1 239:1:1:1 port6 trunk-2

11 g239-11 239:2:2:11 port26 port48 trunk-2

40 g239-1 239:1:1:1 port5 port25 trunk-2

40 g239-2 239:2:2:2 port25 port26

Configuring the IGMP querier

To use the IGMP querier, you need to configure how often IGMP queries are sent and enable the IGMP querier for a specific VLAN. By default, IGMP queries are sent every 120 seconds. You must specify the address for the IGMP querier.

To specify how many seconds are between IGMP queries:

config switch igmp-snooping globals

set query-interval <10-1200>

end

For example:

config switch igmp-snooping globals

set aging-time 300

set query-interval 125

end

To enable the IGMP querier for a specific VLAN and specify the address that IGMP reports are sent to:

config switch vlan

edit 100

set igmp-snooping {enable | disable}

set igmp-snooping-querier {enable | disable}

set igmp-snooping-querier-addr <IPv4_address>

set igmp-snooping-querier-version {2 | 3}

next

end

For example:

config switch vlan

edit 100

set igmp-snooping enable

set igmp-snooping-querier enable

set igmp-snooping-querier-addr 1.2.3.4

set igmp-snooping-querier-version 3

next

end

Configuring mRouter ports

NOTE: These settings are not per-VLAN, so the port will act as a querier/mRouter port for all of its associated VLANs.

To configure a FortiSwitch port as an mRouter port:

config switch interface

edit <port>

set igmp-snooping-flood-reports enable

set mcast-snooping-flood-traffic enable

next

end