Redundant Ethernet

When operating an MC1500, Ethernet redundancy can be enabled at any time by simply following the steps outlined in the following sections. However, for the following controller models enable dual port bonding before activating Ethernet redundancy:

• MC3200
• MC4200
• MC5000 (with accelerator card)
• MC6000

To enable dual bonding, enter the following commands and reboot the controller:

Redundant Ethernet

default# configure terminal default(config)# bonding dual default(config)# exit default# copy running‐config startup‐config

Configure Redundant Ethernet Failover With the CLI

The following commands configure Ethernet interface 2 on a controller as a backup to Ethernet interface 1:

default# configure terminal default(config)# interface FastEthernet 2 default(config‐if‐FastEth)# type redundant default(config‐if‐FastEth)# exit default(config)# exit

default# copy running‐config startup‐config

In the redundant configuration, the IP address for the second Ethernet interface cannot be configured. It will receive the IP address of the primary Ethernet interface when the failover occurs.

The system requires a reboot for the change to become effective. Reboot the system now, and then check the redundant second interface configuration with the show second_interface_status command: default# show second_interface_status

Recovering From Redundant Ethernet Failover

Once Dual Ethernet Redundant mode configuration is complete, the controller needs to be rebooted – see directions above. After the reboot, if the first Ethernet interface link goes down, then the second Ethernet interface takes over the controller connectivity. Redundant Ethernet failover is based on LinkID and does not require any spanning-tree configuration. When a LinkID is missing, the failover will occur in under one second. This failover will be transparent to the access points. The second interface remains active and serving all APs, even if the first interface comes up again. Verify this with the CLI command show second-interface-status. Only when the second interface goes down will the first interface (if it is up) take over the controller connectivity.

In hardware controllers bringing the switch port down will be detected as interface down and a link down alarm will be generated, rather in a virtual controller bringing the switch port down will not be detected as interface down and hence no link down alarm will be generated.

An alarm will be generated when the mapped interface in the VMWare client software is configured as disconnected.

When N+1 or L3 redundancy is also configured and controller 1 fails, the APs move to controller 2. When controller 1 comes back online, the APs immediately begin to move back to controller 2. Also see Recovering From N+1 with Dual Ethernet Failover.

Redundant Ethernet

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Time Based ESS

You can schedule the availability of an ESS based on pre-define time intervals. By default, ESS profiles are always ON and available to clients/devices. By adding a timer, you can control the availability of an ESS profile based on pre-defined times during a day or across multiple days.

To create a time based ESS profile, you must first create a timer profile and then associate the timer profile to the ESS profile.

Creating a Timer Profile

You can create timer profile using WebUI or CLI.

Time Based ESS

Using WebUI

Go to Configuration > Timer and click the Add button.

In the Add Timer Profile pop up window, enter Timer Profile Name and select Timer Type:

• Absolute timer profiles can enable and disable ESS visibility for time durations across multiple days. You can create up to 3 specific start and end time per timer profile. To enter start of the end time, click the Date picker box. See label 1 in figure 1.
• Periodic timer profiles are a set of start and end timestamp that can be applied across multiple days of a week. To create a period timer profile, enter the time in hh:mm format. Where hh, represent hours in 2-digits and mm represent minutes in 2-digits. Figure 2, illustrates a timer profile that will be applied on Sunday, Monday, Tuesday, and Thursday from 08:10 a.m. or 14:45 (2.45 p.m).

Time Based ESS

Using CLI

A new CLI command timer-profile with various options is available to create a timer profile.

Syntax

#(config‐mode) timer‐profile <profile‐name>

#(timer‐config‐mode) <timer‐type> <timer‐slot> start‐time <“mm/dd/yyyy hh:mm”> end‐time <“mm/dd/yyyy hh:mm”>

• timer‐type is either absolute‐timer or periodic timer
• Absolute timer profile allows creation of 3 timer slots.
• Time must be specified within double quotes in this format: mm/dd/yyyy <space> hh:mm

Example: Creating an absolute timer profile default# configure terminal default (config)# timer‐profile monthly‐access

default (config‐timer)# absolute‐timer time‐slot‐1 start‐time “01/01/2014 10:10” end‐time “02/02/2014 08:45”

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Utilizing Multiple IPs on a Single MAC

In current implementations, a typical client machine (or station) is granted a single IP Address per wireless adapter in use. However, with the growing use of Virtual Machine models (provided by VMware, Parallels, etc.), a single station can run multiple Operating Systems from a single client. With this release of Fortinet FortiWLC (SD), each Virtual Machine can now be provided with an individual IP Address, making it much easier to troubleshoot packet transmissions.

To support this function, the FortiWLC (SD) ESS Profile screen has a new function labeled MIPS, which is disabled by default. With this function enabled, packets are bridged across from the “host”, or main, Operating System to the “guest”, or virtual, system(s) as needed. The following notes apply:

• All data packets sent from the client will have the host OS MAC address as their source address.

Utilizing Multiple IPs on a Single MAC

• All data packets sent to the client will have the host OS MAC address as their destination address. Each OS has a different client hardware address that is transmitted as part of the DHCP payload. • “Guest” OS hardware devices have MAC addresses that start “00:0c:29”; this is the global standard OUI for VMware. This hardware address is used by the DHCP server to identify guest OSes, allowing them to be provided separate IP addresses.
• Grat ARP packets transmitted by any IP will have their corresponding unique client hardware addresses.
• All broadcast packets received by the host OS will also be delivered to the guest OS(es).
• All unicast packets received by the host OS will be delivered to the guest OS(es) based on the packets’ destination IP address.

In order to support this capability, a command has been added to the CLI:

• show station multiple-ip—Displays all IP addresses provided by each individual station along with MAC addresses (labeled ‘vmac’ for virtual devices). Note that for the host device, the Client MAC and Virtual MAC will be identical.
• IPv4 and IPv6 address types are supported.
• All IP addresses belonging to a single station are assumed to be part of the same VLAN.
• IP addresses provided to Virtual OSes are always dynamic; static addresses are not supported.
• ICR is not supported when this feature is enabled.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Multiple ESSID Mapping

The following configuration example shows how to create three ESSIDs and map them to three different VLANs to separate guest users, corporate users, and retail traffic.

The first ESSID, guest-users, is mapped to a VLAN named guest. This ESSID is configured to use the default security profile, which requires no authentication method or encryption method. The VLAN IP address is 10.1.1.2/24 with a default gateway of 10.1.1.1. The DHCP server IP address is 10.1.1.254. This ESSID is configured so that it is added to each access point automatically and is also part of a Virtual Cell. (All access points on the same channel with this ESSID share the same BSSID.)

The second ESSID, corp-users, is mapped to a VLAN named corp. This ESSID is configured to use a security profile called corp-access, which requires 64-bit WEP for an  authentication/ encryption method. The static WEP key is set to corp1. The VLAN IP address is 10.1.2.2/24 with a default gateway of 10.1.2.1. The DHCP server IP address is 10.1.2.254. This ESSID is configured so that it is added to each AP automatically and is also part of a Virtual Cell.

The third ESSID, retail-users, is mapped to a VLAN named retail. This ESSID is configured to use a security profile called retail-access, which requires 802.1X as an authentication method.

Multiple ESSID Mapping

 

The 802.1X rekey period is set to 1000 seconds. The primary RADIUS server IP address is set to 10.1.3.200, the primary RADIUS port is set to 1812, and the primary RADIUS secret is set to secure-retail. The VLAN IP address is set to 10.1.3.2/24 with a default gateway of 10.1.3.1. The DHCP server IP address is 10.1.3.254. This ESSID is configured so that it is added to the access point with node id 1 only. Also, the broadcasting of this ESSID value in the beacons from the access point is disabled, and the ESS is given a BSSID of 00:0c:e6:02:7c:84.

Use the show vlan command to verify the VLAN configuration:

controller# show vlan

VLAN Configuration

VLAN Name   Tag  IP Address      NetMask          Default Gateway guest       1    10.1.1.2        255.255.255.0    10.1.1.1        corp        2    10.1.2.2        255.255.255.0    10.1.2.1        retail      3    10.1.3.2        255.255.255.0    10.1.3.1

Now that the VLANs and security profiles have been created, the new ESSIDs can be created and configured.

controller# configure terminal controller(config)# essid guest-users controller(config‐essid)# security-profile default controller(config‐essid)# vlan guest controller(config‐essid)# exit controller(config)# essid corp-users

controller(config‐essid)# security-profile corp-access controller(config‐essid)# vlan corp controller(config‐essid)# exit controller(config)# essid retail-users

controller(config‐essid)# security-profile retail-access controller(config‐essid)# vlan retail controller(config‐essid)# no ap-discovery join-ess controller(config‐essid)# no publish-essid controller(config‐essid)# ess-ap 1 1 controller(config‐essid‐ess‐ap)# bssid 00:0c:e6:03:f9:a4 controller(config‐essid‐ess‐ap)# exit controller(config‐essid)# exit controller(config)# exit controller#

To verify the creation of the new ESSIDs, use the show essid command.

To view detailed configuration for each of the new ESSIDs, use the show essid essid-name command.

Multiple ESSID Mapping

To verify that the guest-users and corp-users ESSIDs were automatically joined to both access points connected to the controller and that the retail-users ESSID was only joined to

AP 1, use the show ess-ap ap ap-node-id or the show ess-ap essid essid-name commands.

controller# show ess-ap ap 1

ESS‐AP Configuration

AP ID: 1

ESSID                   AP Name        Channel  BSSID guest‐users             AP‐1            6       00:0c:e6:01:d5:c1 corp‐users              AP‐1            6       00:0c:e6:02:eb:b5 retail‐users            AP‐1            6       00:0c:e6:03:f9:a4

controller# show ess-ap ap 2

ESS‐AP Configuration

AP ID: 2

ESSID                   AP Name        Channel  BSSID guest‐users             AP‐2            6       00:0c:e6:01:d5:c1 corp‐users              AP‐2            6       00:0c:e6:02:eb:b5 controller# show ess-ap essid retail-users

ESS‐AP Configuration

ESSID: retail‐users

AP ID   AP Name        Channel  BSSID

1       AP‐1            6       00:0c:e6:03:f9:a4 controller# show ess-ap essid corp-users

ESS‐AP Configuration

ESSID: corp‐users

AP ID   AP Name        Channel  BSSID

• AP‐1 6       00:0c:e6:02:eb:b5
• AP‐2 6       00:0c:e6:02:eb:b5

Bridged AP300 in a Remote Location

When bridged mode is configured in an ESSID, an AP using that ESSID can be installed and managed at a location separated from the controller by a WAN or ISP, for example at a satellite office. The controller monitors remote APs with a keep‐alive signal. Remote APs exchange control information, including authentication and accounting information, with the controller but cannot exchange data. Remote APs exchange data with other APs within their subnet.

Because Remote APs cannot exchange data-plane traffic (including DHCP) with the controller, certain Fortinet Wireless LAN features are not available for remote AP configurations. These include:

• QoS
• Captive Portal
• L3 mobility

The features that are available are:

Multiple ESSID Mapping

• VLAN
• Virtual Cell
• 1X authentication
• High user density
• Multiple ESSIDs
• Dataplane encryption for backhoe on L3 tunnel

Configure Bridged Mode with the Web UI

Configure bridged mode when you add or modify an ESS with the Web UI; for directions, see “Add an ESS with the Web UI” on page 137.

Configure Bridged Mode with the CLI

This example creates the ESSID abcjk, sets its mode to bridged, assigns a tag, and then gives top priority to abcjk.

test (config‐essid)# test# configure terminal test (config)# essid abcjk

test (config‐essid)# dataplane bridged test (config‐essid)# ap‐vlan‐tag 11 test (config‐essid)# ap‐vlan‐priority test (config‐essid)# end

For details of the commands used here, see the Command Reference Guide.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Band Steering Feature

Band steering works with multi-band capable clients by letting you assign bands to clients based on their capabilities. Without band steering, an ABG client could formerly associate on either the A or the B/G channels, leading to overcrowding on one band or the other. With band steering, you can direct some of this traffic to the A band. Another example of using band steering is to separate  and data traffic. You can leave all -capable clients the B/G channels (where bandwidth is not a concern) and move data-only clients to the A bands to achieve higher data rates. To use band steering for ABGN traffic, you could use A-Steering to direct dual mode clients with A capability to the 5GHz band and use N-Steering to direct all dual mode clients with AN capability to the 5GHz band. Band steering is also useful for directing multicast traffic.

Configure Band Steering with the Web UI

Band Steering is enabled on a per-ESS basis. When you create or modify an ESS, you can enable band steering. To do this with the Web UI, follow the directions “Add an ESS with the Web UI” on page 137 setting the field Enable Band Steering to On. The field Band Steering Timeout defaults to 5 seconds; this is the number of seconds that assignment for a steered client is blocked on the forbidden band while it is unassociated. For this command to work as clients are added, also set the field New APs Join ESS to on in the ESS.

Multicast Restriction per VLAN

 

Configure Band Steering with the CLI

Two new CLI commands have been added for band steering. band-steering-mode enables band steering on an ESS and band-steering-timeout sets the number of seconds that assignment for a steered client is blocked on the forbidden band while it is unassociated. The command band-steering-mode disable turns off band steering. To use band steering, create an ESS with the following configuration:

ESS Profile

ESS Profile                               : bandsteering Enable/Disable                            : enable

SSID                                      : bandsteering

Security Profile                          : default Primary RADIUS Accounting Server          : Secondary RADIUS Accounting Server        :

Accounting Interim Interval (seconds)     : 3600

Beacon Interval (msec)                    : 100

SSID Broadcast                            : on

Bridging                                  : none New AP’s Join ESS                         : on

Tunnel Interface Type                     : none VLAN Name                                 : Virtual Interface Profile Name            :

GRE Tunnel Profile Name                   :

Allow Multicast Flag                      : off

Isolate Wireless To Wireless traffic      : off

Multicast‐to‐Unicast Conversion           : on

RF Virtualization Mode                    : VirtualCell

Overflow from                             :

APSD Support                              : on

DTIM Period (number of beacons)           : 1

Dataplane Mode                            : tunneled AP VLAN Tag                               : 0

AP VLAN Priority                          : off Countermeasure                            : on

Multicast MAC Transparency                : off

Band Steering Mode                        : a‐steering Band Steering Timeout(seconds)            : 5

This example sets band steering to the A channel on the existing ESS named bandsteering:

default(15)# configure terminal default(15)(config)# essid bandsteering default(15)(config‐essid)# dataplane bridged default(15)(config‐essid)# band‐steering‐mode a‐steering default(15)(config‐essid)# end default(15)#

default(15)# show essid bandsteering ESS Profile
ESS Profile	bandsteering
Enable/Disable	enable
SSID	bandsteering
Security Profile	default

Primary RADIUS Accounting Server          Secondary RADIUS Accounting Server

Accounting Interim Interval (seconds)     : 3600

Beacon Interval (msec)                    : 100

SSID Broadcast                            : on

Bridging                                  : none New AP’s Join ESS                         : on

Tunnel Interface Type                     : none

VLAN Name                                 :

Virtual Interface Profile Name            : GRE Tunnel Profile Name                   :

Allow Multicast Flag                      : off

Isolate Wireless To Wireless traffic      : off

Multicast‐to‐Unicast Conversion           : on

RF Virtualization Mode                    : VirtualPort

Overflow from                             :

APSD Support                              : on

DTIM Period (number of beacons)           : 1

Dataplane Mode                            : bridged AP VLAN Tag                               : 0

AP VLAN Priority                          : off Countermeasure                            : on

Multicast MAC Transparency                : off

Band Steering Mode                        : a‐steering Band Steering Timeout(seconds)            : 5 This example disables band steering:

default(15)# configure terminal

default(15)(config)# essid bandsteering default(15)(config‐essid)# band‐steering‐mode disable default(15)(config‐essid)# end default(15)#

default(15)# sh essid bandsteering

ESS Profile

ESS Profile                               : bandsteering Enable/Disable                            : enable

SSID                                      : bandsteering

Security Profile                          default

Primary RADIUS Accounting Server

Secondary RADIUS Accounting Server

Band Steering Feature

Accounting Interim Interval (seconds)	3600
Beacon Interval (msec)	100
SSID Broadcast	on
Bridging	none
New AP’s Join ESS	on
Tunnel Interface Type	none

VLAN Name                                 Virtual Interface Profile Name

GRE Tunnel Profile Name                   :

Allow Multicast Flag                      : off

Isolate Wireless To Wireless traffic      : off

Multicast‐to‐Unicast Conversion           : on

RF Virtualization Mode                    : VirtualPort

Overflow from                             :

APSD Support                              : on

DTIM Period (number of beacons)           : 1

Dataplane Mode                            : bridged AP VLAN Tag                               : 0

AP VLAN Priority                          : off

Countermeasure                            : on

Multicast MAC Transparency                : off

Band Steering Mode                        : disable

Band Steering Timeout(seconds)            : 5

Expedited Forward Override

The Expedited Forward Override option is implemented to override the system’s default DSCP-to-WMM priority mapping. IP datagrams marked with DSCP Expedited Forwarding (46) will be sent from the WMM  queue (AC_VO) of the AP rather than the Video queue (AC_VI) in downstream (to stations). This feature is specific to AP400 and is disabled by Default. It is configured on a per-ESS Profile basis and works in both bridged and tunneled ESS profiles.

Steps to configure Expedited Forward Override

1. Steps to Enable Expedited Forward Override Feature in ESSID:

default # config terminal default(config)# essid meru

default(config‐essid)# expedited‐forward‐override default(config‐essid)# end

default# show essid meru

ESS Profile

ESS Profile                               meru

Enable/Disable                            enable

SSID                                      meru

 

Security Profile                          Primary RADIUS Accounting Server          Secondary RADIUS Accounting Server	default
Accounting Interim Interval (seconds)	3600
Beacon Interval (msec)	100
SSID Broadcast	on
Bridging	none
New AP’s Join ESS	on

Tunnel Interface Type                     : none

VLAN Name                                 :

Virtual Interface Profile Name            : GRE Tunnel Profile Name                   :

Allow Multicast Flag                      : off

Isolate Wireless To Wireless traffic      : off

Multicast‐to‐Unicast Conversion           : on

RF Virtualization Mode                    : VirtualPort Overflow from                             :

APSD Support                              : on

DTIM Period (number of beacons)           : 1

Dataplane Mode                            : tunneled AP VLAN Tag                               : 0

AP VLAN Priority                          : off

Countermeasure                            : on

Multicast MAC Transparency                : off

Band Steering Mode                        : disable

Band Steering Timeout(seconds)            : 5

Expedited Forward Override                : on

SSID Broadcast Preference                 : till‐association

B Supported Transmit Rates  (Mbps)        : 1,2,5.5,11 B Base Transmit Rates  (Mbps)             : 11

2. Steps to Disable Expedited Forward Override Feature in ESSID:

Meru# config terminal

Meru(config)# essid meru

Meru (config‐essid)# no expedited‐forward‐override

Meru(config‐essid)# end

Meru # show essid meru

ESS Profile

ESS Profile                               : meru

Enable/Disable                            : enable SSID                                      : meru

Security Profile                          : default

Primary RADIUS Accounting Server          : Secondary RADIUS Accounting Server

Accounting Interim Interval (seconds)     3600

Beacon Interval (msec)                    100

Band Steering Feature

SSID Broadcast	on
Bridging	none
New AP’s Join ESS	on
Tunnel Interface Type                     VLAN Name                                 Virtual Interface Profile Name            GRE Tunnel Profile Name	none
Allow Multicast Flag	off

Isolate Wireless To Wireless traffic      : off

Multicast‐to‐Unicast Conversion           : on

RF Virtualization Mode                    : VirtualPort

Overflow from                             :

APSD Support                              : on

DTIM Period (number of beacons)           : 1

Dataplane Mode                            : tunneled AP VLAN Tag                               : 0

AP VLAN Priority                          : off Countermeasure                            : on

Multicast MAC Transparency                : off

Band Steering Mode                        : disable

Band Steering Timeout(seconds)            : 5

Expedited Forward Override                : off

SSID Broadcast Preference                 : till‐association

B Supported Transmit Rates  (Mbps)        : 1,2,5.5,11

B Base Transmit Rates  (Mbps)             : 11

SSID Broadcast for Vport

The SSID Broadcast for Vport function is designed to improve connectivity when using Cisco phones.

Configuration of SSID Broadcast for Vport

The SSID Broadcast for Vport option is similar to that for the ESSID configuration parameter. From the ESSID configuration, the SSID Broadcast for Vport option has three configurable parameters  from GUI and IOSCLI as follows:

1. Disable: This is the default configuration on the ESSID profile page. Configuring the parameter to “Disable” makes the AP not to advertise the SSID in the beacon.

Example for configuring the option to Disable from IOSCLI:

default# configure terminal default(config)# essid assign default(config‐essid)# publish‐essid‐vport disabled default(config‐essid)# exit default(config)# exit

2. Always: Configuring the parameter to “Always” enables the AP to advertise the SSID on the beacons always. This must not be configured unless recommended. Example for configuring the option to till association from IOSCLI:

default# conf terminal default(config)# essid assign default(config‐essid)# publish‐essid‐vport always default(config‐essid)# end

3. Till-Association: Configuring the parameter to “Till-Association” enables the AP to advertise the SSID in the beacons until the association stage of the client and disables the SSID broadcast in the later part of connectivity. This parameter is preferable to configure for the certain version of phones which will resolves the connectivity issues with the Vport ON. Once station associated, The AP will stop broadcasting SSID string. Here the users are allowed to configure SSID broadcast for VPort parameter from controller GUI per ESS basis in addition to AP CLI.

Example for configuring the option to till association from IOSCLI:

default# conf terminal default(config)# essid assign default(config‐essid)# publish‐essid‐vport till‐association default(config‐essid)# end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Multicast Restriction per VLAN

When “multicast to unicast” conversion is enabled, multicast/broadcast packets will be restricted to respective VLANs only.

Supported in: AP110, AP122, AP332, AP822, AP832, OAP832, AP1020, FAP-U4231V, FAPU423EV

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Multicast MAC Transparency Feature

This feature enables MAC transparency for tunneled multicast, which is needed for some clients to receive multicast packets. Multicasting is an advanced feature and can cause subtle changes in your network. By default, multicasting is disabled. To enable it, use either the multicast-enable command (see example below) or Configuration > Wireless > ESS > Add in the Web UI (see example below).

Multicasting is an advanced feature. Enabling multicasting in the WLAN can cause subtle changes in your network. Contact Meru Networks Customer Service Technical Assistance Center before enabling multicasting.

Enable Multicast From the Web UI

To enable multicasting from the Web UI, add or modify an ESS. For directions, see “Add an ESS with the Web UI” on page 137.

Enable Multicast with the CLI

The following example enables multicasting with the CLI: controller(config‐essid)# multicast-enable

For command details, see the FortiWLC (SD) Command Reference.

View Mapping Between VLANs and ESS Profiles

Use the following command to see the VLANs and ESS profiles currently mapped: controller# show vlan ess‐profile

For command details, see the FortiWLC (SD) Command Reference.

Multicast MAC Transparency Feature

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Multicast

Multicast is a technique frequently used for the delivery of streaming media, such as video, to a group of destinations simultaneously. Instead of sending a copy of the stream to each client, clients share one copy of the information, reducing the load on the network. Multicast is an advanced feature and can cause subtle changes in your network. By default, multicast is disabled and should be enabled only for specific circumstances. Possible multicast applications include:

• Broadcast via cable or satellite to IPTV (for example, Vbrick or Video Furnace)
• Any broadcast application (for example, CEO address to company)
• Distance learning (live lectures)
• Video surveillance
• Video conferencing

For multicast to work, you need to complete these four tasks:

• Enable Virtual Port on AP400s – see “Configuring Virtual Port Support for AP400 with the CLI” on page 151 and “Configuring Probe Response Threshold” on page 153 for directions.
• Enable IGMP snooping on the controller – see “Configuring IGMP Snooping on Controllers and APs” on page 163
• Enable IGMP snooping on the network infrastructure including intermediary switches. You must do this because Forti WLC do not source multicast group membership queries. We rely (as do most controllers) on the switches to perform that task.
• Map a Virtual Cell enabled ESS with the default VLAN – see “Assigning a VLAN with the CLI” on page 156.

Configuring IGMP Snooping on Controllers and APs

Multicasting is implemented using IGMP snooping. In FortiWLC (SD) release 3.6, IGMP snooping was only done at the controller; the controller knew which clients were subscribed to specific multicast streams and sent the data for the subscribed multicast stream only to the APs with clients currently being serviced. Since the AP didn’t know which clients subscribed to the specific stream, it would send multicast streams to all clients currently being serviced by the AP. (With Virtual Port, there would be N copies, one for each client). This wasted airtime and created unnecessary traffic and contention.

In release 4.0 and later, IGMP snooping is done not only by the controller but also done by AP400s (excluding AP1000) when using Virtual Cell. The controller passes the client subscription list for multicast streams to AP400, which limits the multicast streams to only subscribed clients, reducing wireless traffic and saving time. (There are no changes in sending multicasts for stations connected to non-Virtual Cell ESS profiles.)

Multicast

Commands to Configure IGMP Snooping

The following command is used to enable/disable IGMP snooping on the controller and APs: igmp-snoop state [enable, disable]

Command to show igmp-snoop status: show igmp-snoop

Command to see which multicast groups are currently active: show igmp‐snoop forwarding‐table

Command to see which stations have joined multicast groups: show igmp‐snoop subscription‐table

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!