|
High traffic on the FortiSwitch can lead to high CPU and memory usage, especially with multicast or broadcast traffic.
Refer to these articles for more information:
How to identify if multicast traffic is causing high CPU:
FortiSwitch# fnsysctl top (ctrl+c to stop)
207 1 0 RN 52984 11% 0 86% /bin/igmpsnoopingd <- igmp-snooping process is going high which signifies multicast packets.
FortiSwitch# diag sys top-sockmem
igmpsnoopingd (207): 1487kB
FortiSwitch# fnsysctl top -n 3 -d 3 -b (ctrl+c to stop)
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
207 1 0 RN 52984 11% 0 100% /bin/igmpsnoopingd
- Once the identified multicast traffic is causing a high CPU on FortiSwitch, collect a sniffer on the internal interface to check the multicast IP address and what port the multicast address is hitting.
FortiSwitch# diagnose sniffer packet any "" 6 0 a
2024-09-16 11:49:07.369289 __port__1 in 802.1Q vlan#1 P0 -- 10.10.51.93.5353 -> 224.0.0.251.5353: udp 915
2024-09-16 11:49:07.579764 internal in 10.11.12.149.56710 -> 239.255.255.249.1900: udp 175
As seen in the above output, 239.x.x.x and 224.x.x.x multicast addresses hitting the FortiSwitch on vlan1 port1.
Note that there is a limitation with 1xxF FortiSwitch: Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FortiSwitch-124F, FortiSwitch-124F-POE, FortiSwitch-124F-FPOE, FortiSwitch-148F, FortiSwitch-148F-POE, and FortiSwitch-148F-FPOE models.
Refer to this document: IGMP snooping.
Refer to bug_id=0987504
- Collect mcast application debug to verify.
FortiSwitch# diagnose debug application mcast-snooping -1
FortiSwitch# diag debug console timestamp enable
FortiSwitch# diag debug enable
Received message type IGMP_HOST_MEMBERSHIP_QUERY port1 vlan1
igmp_query_get_sendingport: port-map:1ffffffffffff4
mcast_flood_query: Flood Query on vlan_id =1, port-map:1ffffffffffff4
The above output shows igmp/multicast query hitting port1 on vlan1.
Disable the debug after 10 minutes.
FortiSwitch# diag debug disable
FortiSwitch# diag debug reset
Actions to take:
- Enable igmp-snooping on vlan1.
- Once identified which multicast address is causing the issue, use ACL to drop the multicast packets on the FortiSwitch uplink port (in this example, it is port1) as a workaround and avoid using 239.x.x.x multicast address in the network if FortiSwitch 1xxF are deployed.
FortiSwitch# config switch acl ingress
edit 2
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 224.0.0.0 255.0.0.0
end
set ingress-interface "port1"
next
edit 3
config action
set count enable
set drop enable
end
config classifier
set dst-ip-prefix 239.0.0.0 255.0.0.0
end
set ingress-interface "port1"
next
end
In cases with FortiSwitches Managed by FortiGate, use a custom command to push the configuration to the FortiSwitches. For example:
config switch-controller custom-command
edit "igmp"
set command "config switch acl ingress %0a edit 2 %0a config action %0a set count enable %0a set drop enable %0a end %0a config classifier %0a set dst-ip-prefix 224.0.0.0 255.0.0.0 %0a end %0a set ingress-interface-all enable %0a next %0a edit 3 %0a config action %0a set count enable %0a set drop enable %0a end %0a config classifier %0a set dst-ip-prefix 239.0.0.0 255.0.0.0 %0a end %0a set ingress-interface-all enable %0a next %0a end %0a"
end
config switch-controller managed-switch
edit <FortiSwitch name>
config custom-command
edit 1
set command-name igmp
end
end
|
