- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Windows NLB Exchange 2013 Multicast or IGMP Multic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows NLB Exchange 2013 Multicast or IGMP Multicast thru FGT & FortiSwitches [SOLVED
Hi Members,
I see few posts partially around this subject, but no real solution arrived in there. We need to move a customer from Cisco infrastructure to a cluster of two fortigates (active / passive) and 6 fortiswitches and they have an Exchange 2013 cluster of two members. The equipment is on its way, so I don't have any way to test at my end. I am just going thru documentation or doing google search.
Current Cisco solution has the static arp entry for the Exchange cluster Virtual IP address to its multicast address, something like
arp 192.168.10.50 03bf.ac20.141e arpa
mac address-table static 03bf.ac20.141e vlan 10 interface GigabitEthernet1/11 GigabitEthernet1/12 GigabitEthernet1/47 GigabitEthernet1/48
By default IGMP snopping is on both L3 and L2 stack, and L3 switch (stack of two) has IGMP querier set up
ip igmp snooping querier vlan configuration 10 ip igmp snooping querier address 192.168.10.1
Will something like the following on the Fortigate firewall LAN interface correctly set up this static arp entry?
config system arp-table edit 1 set interface internal set ip 192.168.10.50 set mac 03:BF:AC:20:14:1E end
And is there such option available on the fortigate managed Fortiswitches?
And for Fortigate to act as IGMP querier:
config router multicast
set multicast-routing enable
config interface edit internal config igmp set version 2 set pim-mode sparse-mode
end
Since this is an old and common technique used for Microsoft Clustering, I am hoping many of you have done this with Fortigate and Fortiswitches. So any advice will be much appreciated.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further to my post, I believe the following will be needed on the fortigate for managed fortiswitches.
config switch-controller igmp-snooping set flood-unknown-multicast enable end config switch-controller managed-switch edit Sxxxxxx config static-mac edit 1 set type static set mac 03:BF:AC:20:14:1E set interface port3,port4 end config ports edit port3,port4 set igmp-snooping enable set igmps-flood-reports enable
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some versions of Cisco switches (like nexus) and HPe switches have the option to include multicast when adding the mac address to the table for the ports.
mac address-table multicast 03bf.ac20.141e vlan 10 interface Ethernet1/11 Ethernet1/12 Ethernet1/47 Ethernet1/48
Do we need any change accordingly in the Fortigate for the switches to add the mac address if it is a multicast address?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the fortiswitches managed by fortigate are treated all different switches and not as a stack, can we do cross switch LACP LAG / teaming to connect servers with multiple NICs to different switches? Will it at least cause one of the port of the two different switch ports to be blocked by LACP at least to offer an active / passive LAG if cross switch LAG will not be possible?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get hold of a customer firewall and switch that are not in production yet and I tried to add the mac address to a port with address starting with 03bf and I got the error:
"Multicast mac address not allowed"
The same multicast mac address is accepted both as arp entry and as mac address for the table in Cisco switch with no issues. I tested that portion with cisco switches yesterday. So in such situation, can we conclude that we can not support traditional Microsoft NLB with Multicast mode (without IGMP) and that we will need to have customer change the cluster mode to IGMP multicast. IGMP multicast mode then should not need these static mac entries, though we will still need the upstream fortigate to act as IGMP querier and on that interface of fortigate, we will need to add arp entry, which is accepted without error?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Answering this question myself. In absence of physical equipment, I was able to find answers to this in fortiswitch documentation as well as came across this link below that provided what I was looking for. I was then able to validate this with a remote session with my friendly and very helpful Fortinet SE's lab which had the required fortiswitches managed by Fortigate. Essentially, Microsoft proprietary NLB multicast mode is not supported by Fortinet switches as it rejects inputting a multicast mac address for the Virtual IP of the NLB cluster. Only option is to use IGMP multicast and that does not then have any such requirement to put in static arp and static mac entries. However for a local LAN needs, its is better to have the switch become the required IGMP querier and thus not to burden the Fortigate that is upstream and managing the switches. The basic GUI and CLI options available under Fortigate GUI for managing the switches do not allow setting the switch as a IGMP Querier. The link below explains beautifully what needs to be done to achieve what I needed. Hope this helps others as well as I appreciate the author of the link below for documenting it so clearly.
https://www.brg.ch/igmp-snooping-querier-with-managed-fortiswitch/
Related Posts
- Cisco Multicast Ping ICMP reply not... 253 Views
- Multicast Flooding Issue with 100+ Apple... 262 Views
- Fortigate 60F Sending Wrong LOGS to... 286 Views
- Fortigate IPSec interface errors 195 Views
- Fortinet Single Sign On (FSSO) for... 232 Views
Labels
-
FortiGate
6,610 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
74 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.