This article describes how to configure the FortiGate as an IGMP querier on a FortiSwitch-managed topology.
Similar steps can be followed when configuring an IGMP querier on a physical interface without having a Managed FortiSwitch involved.
This will make the FortiGate's Interface into an active IGMP querier sending packets periodically on the VLAN or interface and populating its multicast routing table.
FortiGate, FortiSwitch.
Enable multicast routing on the FortiGate:
There is no need to configure Static Rendezvous Points. Skip that step and leave the option blank.
Under 'interfaces', Select Create a new Multicast Interface.
Select the VLAN interface child of the Fortilink LAG interface. The PIM will be set as 'passive' later, so there is no need to worry about the PIM mode, DR Priority, or RP Candidate. However, the DR priority needs to be filled in: set it to a value of '1'.
Next, select the proper IGMP version. In this example, IGMPv2 is selected as the application works with v2.
Select OK, then Apply the multicast settings.
Next, set the VLAN interface that was just created as a passive PIM interface so it does not send any PIM messages, but still sends the IGMP queries.
config router multicast
set multicast-routing enable
config interface
edit "vlan_10"
set pim-mode sparse-mode
set passive enable
config igmp
set version 2
end
next
end
end
If it is necessary to enable the IGMP querier on other VLANs, repeat the steps and create multiple interfaces under the multicast settings. Remember to set them as 'passive'.
Next, it is necessary to enable certain IGMP options on the VLAN itself to ensure everything runs smoothly.
config system interface
edit "vlan_10"
set ip 172.17.0.1 255.255.255.0
set switch-controller-igmp-snooping enable
set switch-controller-igmp-snooping-proxy enable
set switch-controller-igmp-snooping-fast-leave enable
set vlanid 10
next
end
The options above are synchronized to all FortiSwitches in the topology under 'show switch vlan'.
Next, make sure flood unknown multicast is disabled so the switches will ONLY forward unmapped multicast groups to the mrouter interface.
config switch-controller igmp-snooping
set flood-unknown-multicast disable
end
Conclusion:
By applying the configuration above, the FortiGate's VLAN interface will be used as an IGMP querier on FortiSwitch managed infrastructure, and the IGMP discovered data will be synchronized to downstream Switches so they can efficiently forward multicast packets only to ports and interfaces mapped specifically to that group, thereby reducing network overhead.
Keep in mind that this option causes the FortiGate to receive ALL Multicast traffic. This is expected behavior when setting FortiGate up as an IGMP querier.
Troubleshooting:
Make sure the interface has the IGMP enabled, is Active, is a Querier, and is using a valid IGMP version.
If the interface does not have the 'Querier' status as shown below, there is a chance that there is another IGMP querier on this VLAN as described in Troubleshooting Tip: FortiGate interface changes its state from IGMP querier to non-querier.
Next, see if FortiGate's IGMP table is being populated with the multicast groups associated with the right VLAN.
It is possible to query all managed Switches from the FortiGate to see how they are populating their table in the hierarchy.
It will be necessary to make sure the FlInK1_MLAG0 and FlInK1_ICL0 are 'queriers', and also that they are flooding reports and traffic as shown below.
The Output below is truncated as it is too long on this topology, so only the interesting ones will be added
The same can be checked from each FortiSwitch with 'get switch igmp-snooping group'.
On the Core Switches, we can see the interface directly connected to the Fortigate (FGVM04xxxx) as an IGMP querier. The multicast groups learned from the downstream trunk interfaces which should provide some traceability.
Further down in the topology, The upstream direction as MCLAG0 will be visible and downstream connections as tier3-D.
From switches immediately connected to the multicast client, the interface is connected (port5) and the multicast groups are interested in listening.
Debugging:
By enabling verbose debugging, it is possible to get to the specific details of what is happening behind the decisions taken by the process.
It is strongly recommended to run a packet capture alongside the debugs as it is necessary to review each packet's details.
On the FortiGate:
diagnose ip router igmp all enable
diagnose ip router igmp level info
diagnose debug enable
NSM: [IGMP-EVENTS] Querier Timer: Exipry on vlan_10
NSM: [IGMP-ENCODE] IGMP Enc Hdr: IGMP Membership Query Checksum=61083, MsgLen=8
NSM: [IGMP-ENCODE] Send Gen Query: Sent General Query on vlan_10, ret=32
NSM: [IGMP-DECODE] Dec Msg: IGMP Membership Query, Max. Rsp. Code 100
NSM: [IGMP-DECODE] Dec Msg: IGMP V2 Membership Report, Max. Rsp. Code 0
NSM: [IGMP-DECODE] Dec V2 Report: Grp 239.255.255.250 on vlan_10
On the FortiSwitch:
diag debug application mcast-snooping -1
diag debug enable
Received message type IGMP_HOST_MEMBERSHIP_QUERY port2 vlan10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
mrouter port found port 102
mrouter (ver 2) exisits on port 102, reset timer
mcast_add_mrouter: received GQ on vlan 10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
process_igmp_query: Processing GQ on vlan 10 version 2
querier_selection: vlan 10 pkt ver 2 pkt querier src ip 172.17.0.1 cfg ver 2, cfg querier ip 0.0.0.0, current external querier ip 172.17.0.1
querier_selection: reset timer: vlan 10 ver 2: current querier ip 172.17.0.1
multicast snooping mrouter on port2(2) vlan10
Received message type IGMP_HOST_MEMBERSHIP_QUERY port8 vlan10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
mrouter port found port 101
mrouter (ver 2) exisits on port 101, reset timer
mcast_add_mrouter: received GQ on vlan 10
get_igmp_query_version: tot_len 32, ihl 6, len 8 version = 2
process_igmp_query: Processing GQ on vlan 10 version 2
querier_selection: vlan 10 pkt ver 2 pkt querier src ip 172.17.0.1 cfg ver 2, cfg querier ip 0.0.0.0, current external querier ip 172.17.0.1
querier_selection: reset timer: vlan 10 ver 2: current querier ip 172.17.0.1
multicast snooping mrouter on port8(8) vlan10
igmp_query_get_sendingport: port-map:0
mcast_flood_query: Flood Query on vlan_id =10, port-map:0
mclag pkt on port 3 vlan=10
Below are some examples of sniffer filters that can be used to capture IGMP and multicast packets:
diag sniffer packet <interface or any> "proto 2" 4 0 l
diag sniffer packet <interface or any> "dst host 224.0.0.252" 4 0 l
diag sniffer packet <interface or any> "net 224.0.0.0/4" 4 0 l
Related documents:
Troubleshooting Tip: FortiGate interface changes its state from IGMP Querier to Non-Querier.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.