High traffic on the FortiSwitch can lead to high CPU and memory usage, especially with multicast or broadcast traffic.

Refer to these articles for more information:

• Technical Tip: Investigate high CPU usage on FortiSwitch
• Troubleshooting Tip: FortiSwitch high memory usage troubleshooting guide
• Troubleshooting Tip: IGMP Snooping not working on FortiSwitch

How to identify if multicast traffic is causing high CPU:

• Check the top processes.

FortiSwitch# fnsysctl top    (ctrl+c to stop)

207 1 0 RN 52984 11% 0 86% /bin/igmpsnoopingd    <-  igmp-snooping process is going high which signifies multicast packets.

FortiSwitch# diag sys top-sockmem   

igmpsnoopingd (207): 1487kB

FortiSwitch# fnsysctl top -n 3 -d 3 -b     (ctrl+c to stop)

PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
207 1 0 RN 52984 11% 0 100% /bin/igmpsnoopingd

• Once the identified multicast traffic is causing a high CPU on FortiSwitch, collect a sniffer on the internal interface to check the multicast IP address and what port the multicast address is hitting.

FortiSwitch# diagnose sniffer packet any "" 6 0 a

2024-09-16 11:49:07.369289 __port__1 in 802.1Q vlan#1 P0 -- 10.10.51.93.5353 -&gt; 224.0.0.251.5353: udp 915

2024-09-16 11:49:07.579764 internal in 10.11.12.149.56710 -&gt; 239.255.255.249.1900: udp 175

As seen in the above output,  239.x.x.x and 224.x.x.x multicast addresses hitting the FortiSwitch on vlan1 port1.

Note that there is a limitation with 1xxF FortiSwitch: Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FortiSwitch-124F, FortiSwitch-124F-POE, FortiSwitch-124F-FPOE, FortiSwitch-148F, FortiSwitch-148F-POE, and FortiSwitch-148F-FPOE models.

Refer to this document: IGMP snooping.

Refer to bug_id=0987504

• Collect mcast application debug to verify.
  
  

FortiSwitch# diagnose debug application mcast-snooping -1

FortiSwitch# diag debug console timestamp enable

FortiSwitch# diag debug enable

Received message type IGMP_HOST_MEMBERSHIP_QUERY port1 vlan1
igmp_query_get_sendingport: port-map:1ffffffffffff4
mcast_flood_query: Flood Query on vlan_id =1, port-map:1ffffffffffff4

The above output shows igmp/multicast query hitting port1 on vlan1.

Disable the debug after 10 minutes.

FortiSwitch# diag debug disable

FortiSwitch# diag debug reset

Actions to take:

• Enable igmp-snooping on vlan1.
• Once identified which multicast address is causing the issue, use ACL to drop the multicast packets on the FortiSwitch uplink port (in this example, it is port1) as a workaround and avoid using 239.x.x.x multicast address in the network if FortiSwitch 1xxF are deployed.
  
  

FortiSwitch# config switch acl ingress
    edit 2
        config action
            set count enable
            set drop enable
        end
        config classifier
            set dst-ip-prefix 224.0.0.0 255.0.0.0
        end
        set ingress-interface "port1"
    next
    edit 3
        config action
            set count enable
            set drop enable
        end
        config classifier
            set dst-ip-prefix 239.0.0.0 255.0.0.0
        end
        set ingress-interface "port1"
    next
end

In cases with FortiSwitches Managed by FortiGate, use a custom command to push the configuration to the FortiSwitches. For example:

config switch-controller custom-command
    edit "igmp"
        set command "config switch acl ingress %0a edit 2 %0a config action %0a set count enable %0a set drop enable %0a end %0a config classifier %0a set dst-ip-prefix 224.0.0.0 255.0.0.0 %0a end %0a set ingress-interface-all enable %0a next %0a edit 3 %0a config action %0a set count enable %0a set drop enable %0a end %0a config classifier %0a set dst-ip-prefix 239.0.0.0 255.0.0.0 %0a end %0a set ingress-interface-all enable %0a next %0a end %0a"
end

config switch-controller managed-switch

    edit <FortiSwitch name>

        config custom-command

            edit 1

                set command-name igmp

        end

end