FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff
Article Id 280526
Description

 

This article describes how to configure the FortiGate as an IGMP querier on a FortiSwitch-managed topology.

Similar steps can be followed when configuring an IGMP querier on a physical interface without having a Managed FortiSwitch involved. 

This will make the FortiGate's Interface into an active IGMP querier sending packets periodically on the VLAN or interface and populating its multicast routing table.  

 

Scope

 

FortiGate, FortiSwitch.

 

Solution

 

Enable multicast routing on the FortiGate:

 

enable_multicast_forward.png

 

There is no need to configure Static Rendezvous Points. Skip that step and leave the option blank. 
Under 'interfaces', Select Create a new Multicast Interface

 

mcast_interface.png

 

Select the VLAN interface child of the Fortilink LAG interface. The PIM will be set as 'passive' later, so there is no need to worry about the PIM mode, DR Priority, or RP Candidate. However, the DR priority needs to be filled in: set it to a value of '1'.

Next, select the proper IGMP version. In this example, IGMPv2 is selected as the application works with v2. 

Select OK, then Apply the multicast settings. 

 

Apply_changes.png

 

Next, set the VLAN interface that was just created as a passive PIM interface so it does not send any PIM messages, but still sends the IGMP queries. 

 

config router multicast
    set multicast-routing enable

    config interface
        edit "vlan_10"
            set pim-mode sparse-mode
            set passive enable

            config igmp
                set version 2
            end
        next
    end
end

 

If it is necessary to enable the IGMP querier on other VLANs, repeat the steps and create multiple interfaces under the multicast settings. Remember to set them as 'passive'. 

 

Next, it is necessary to enable certain IGMP options on the VLAN itself to ensure everything runs smoothly.

 

config system interface
    edit "vlan_10"
        set ip 172.17.0.1 255.255.255.0
        set switch-controller-igmp-snooping enable
        set switch-controller-igmp-snooping-proxy enable
        set switch-controller-igmp-snooping-fast-leave enable
        set vlanid 10
    next
end

 

 

The options above are synchronized to all FortiSwitches in the topology under 'show switch vlan'.

Next, make sure flood unknown multicast is disabled so the switches will ONLY forward unmapped multicast groups to the mrouter interface

 

config switch-controller igmp-snooping
    set flood-unknown-multicast disable
end

 

 

Conclusion: 

 

By applying the configuration above, the FortiGate's VLAN interface will be used as an IGMP querier on FortiSwitch managed infrastructure, and the IGMP discovered data will be synchronized to downstream Switches so they can efficiently forward multicast packets only to ports and interfaces mapped specifically to that group, thereby reducing network overhead. 

 

Keep in mind that this option causes the FortiGate to receive ALL Multicast traffic. This is expected behavior when setting FortiGate up as an IGMP querier. 

 

Troubleshooting: 

Make sure the interface has the IGMP enabled, is Active, is a Querier, and is using a valid IGMP version. 

If the interface does not have the 'Querier' status as shown below, there is a chance that there is another IGMP querier on this VLAN as described in Troubleshooting Tip: FortiGate interface changes its state from IGMP querier to non-querier.

 

igmp_interface.png

 

Next, see if FortiGate's IGMP table is being populated with the multicast groups associated with the right VLAN. 

 

igmp_groups.png

 

It is possible to query all managed Switches from the FortiGate to see how they are populating their table in the hierarchy. 

It will be necessary to make sure the FlInK1_MLAG0 and FlInK1_ICL0 are 'queriers', and also that they are flooding reports and traffic as shown below. 

The Output below is truncated as it is too long on this topology, so only the interesting ones will be added

The same can be checked from each FortiSwitch with 'get switch igmp-snooping group'.

 

igmp_core_switches.png

 

On the Core Switches, we can see the interface directly connected to the Fortigate (FGVM04xxxx) as an IGMP querier. The multicast groups learned from the downstream trunk interfaces which should provide some traceability.

 

igmp_tier2_switches.png

 

 Further down in the topology, The upstream direction as MCLAG0 will be visible and downstream connections as tier3-D. 

 

igmp_tier3_switch.png

 

From switches immediately connected to the multicast client, the interface is connected (port5) and the multicast groups are interested in listening. 

 

Debugging:

By enabling verbose debugging, it is possible to get to the specific details of what is happening behind the decisions taken by the process. 

It is strongly recommended to run a packet capture alongside the debugs as it is necessary to review each packet's details. 

 

On the FortiGate:

 

diagnose ip router igmp all enable
diagnose ip router igmp level info
diagnose debug enable

NSM: [IGMP-EVENTS] Querier Timer: Exipry on vlan_10
NSM: [IGMP-ENCODE] IGMP Enc Hdr: IGMP Membership Query Checksum=61083, MsgLen=8
NSM: [IGMP-ENCODE] Send Gen Query: Sent General Query on vlan_10, ret=32
NSM: [IGMP-DECODE] Dec Msg: IGMP Membership Query, Max. Rsp. Code 100
NSM: [IGMP-DECODE] Dec Msg: IGMP V2 Membership Report, Max. Rsp. Code 0
NSM: [IGMP-DECODE] Dec V2 Report: Grp 239.255.255.250 on vlan_10

 

On the FortiSwitch: 

 

diag debug application mcast-snooping -1
diag debug enable

Received message type IGMP_HOST_MEMBERSHIP_QUERY port2 vlan10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
mrouter port found port 102
mrouter (ver 2) exisits on port 102, reset timer
mcast_add_mrouter: received GQ on vlan 10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
process_igmp_query: Processing GQ on vlan 10 version 2
querier_selection: vlan 10 pkt ver 2 pkt querier src ip 172.17.0.1 cfg ver 2, cfg querier ip 0.0.0.0, current external querier ip 172.17.0.1
querier_selection: reset timer: vlan 10 ver 2: current querier ip 172.17.0.1
multicast snooping mrouter on port2(2) vlan10

Received message type IGMP_HOST_MEMBERSHIP_QUERY port8 vlan10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
mrouter port found port 101
mrouter (ver 2) exisits on port 101, reset timer
mcast_add_mrouter: received GQ on vlan 10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
process_igmp_query: Processing GQ on vlan 10 version 2
querier_selection: vlan 10 pkt ver 2 pkt querier src ip 172.17.0.1 cfg ver 2, cfg querier ip 0.0.0.0, current external querier ip 172.17.0.1
querier_selection: reset timer: vlan 10 ver 2: current querier ip 172.17.0.1
multicast snooping mrouter on port8(8) vlan10
igmp_query_get_sendingport: port-map:0
mcast_flood_query: Flood Query on vlan_id =10, port-map:0
mclag pkt on port 3 vlan=10

 

Below are some examples of sniffer filters that can be used to capture IGMP and multicast packets:

 

diag sniffer packet <interface or any> "proto 2" 4 0 l
diag sniffer packet <interface or any> "dst host 224.0.0.252" 4 0 l
diag sniffer packet <interface or any> "net 224.0.0.0/4" 4 0 l

 

Related documents:

Troubleshooting Tip: FortiGate interface changes its state from IGMP Querier to Non-Querier.

Deploying MCLAG topologies.

Configuring IGMP-snooping settings.