Configure the L2 Multicast in ACI
Available Languages
Contents
Introduction
This document describes how to configure and verify Layer 2 (L2) multicast in the same Endpoint Group (EPG) on a single Application Centric Infrastructure (ACI) fabric.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- L2 multicast support in ACI - always supported
- Internet Group Management Protocol (IGMP) snooping in ACI - enabled by default
Components Used
The information in this document is based on these software and hardware versions:
- N9K-C93180YC-FX
- Release 4.2(7q)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
L2 multicast refers to IP multicast packets forwarded on a L2 network segment (bridge domain(BD)/subnet), not L2 non-IP multicast packets which are multicast packets with a destination multicast MAC address without an IP header. L2 multicast also excludes link local multicast (224.0.0.0/24). Link local multicast is always forwarded to all ports in the BD.
L2 multicast in ACI is only forwarded within the BD. If you have multiple EPGs that use the same BD, multicast traffic flood in all EPGs regardless of contracts in place between EPGs.
Cisco ACI forwards multicast frames on the overlay multicast tree that is built between leaf and spine switches. L2 traffic uses Forwarding Tag (FTAG) trees to provide efficient load balancing across multiple, redundant, same cost links. For more information on the details of FTAG tree, see the ACI Fundamentals document.
Configure
Network Topology
Configurations
This is a summary of the configuration steps. There is not much configuration for L2 multicast except to enable an IGMP querier.
- Step 1: Configure the Fabric Access Policies for the Multicast Server and Client Host Connectivity
- Step 2: Create the EPG, BD, and VRF for the Multicast Receiver and Source
- Step 3: Attach a Physical Domain to the EPG and Configure the Static Port
- Step 4: Configure the IGMP Querier
This section describes the detailed configuration steps.
Step 1: Configure the Fabric Access Policies for the Multicast Server and Client Host Connectivity
The images show the high-level approach to the configuration. Additional details about access policies is available in the ACI Initial Deployment document.
You can skip this step if the access policies are already in place.
- This image shows the multicast server port fabric polices.
- This image shows the multicast receiver port (client) fabric polices.
Step 2: Create the EPG, BD, and VRF for the Multicast Receiver and Source
- The EPG, BD and VRF are created with default parameters.
By default, a BD uses the default IGMP snoop policy that is predefined in the 'Common' Tenant.
The IGMP querier is not enabled by default under the BD subnet, which is the case for a legacy NXOS or Cisco IOS® based deployment as well.
- In order to check the default IGMP snoop policy, choose the 'Common' tenant > Polices > Protocol > IGMP Snoop > default to see that the default IGMP policy does not have the Enable querier box checked.
- This image shows the summary of the EPG, BD, and VRF configuration (logical view).
Step 3: Attach a Physical Domain to the EPG and Configure the Static Port
- This image shows a physical domain attached to an EPG.
- This image shows a configured static port under an EPG.
- This image shows that the multicast server (source) endpoint and multicast client (receiver) end points are both learned (connected) under same EPG.
Step 4: Configure IGMP Querier
The IGMP querier must be enabled two places, under the respective IGMP snoop policy and under the BD subnet.
Note: Since the IGMP snooping policy with Enable querier enabled requires a source IP address to send the IGMP query, it is required to configure enable the IGMP Querier IP under the BD subnet. Otherwise, the leaf switch will not send the IGMP query to the multicast receiver.
It is always recommended to configure a new IGMP snooping policy with IGMP querier enabled instead of using a default IGMP snooping policy. Note that the default IGMP snooping policy does not have an IGMP querier enabled by default and it is default attached with every BD. A change to any configuration under the default IGMP snooping policy affects each BD attached with the default IGMP snoop policy, so it is not recommended to change the the default IGMP snooping policy parameters in ACI.
- In order to create a new IGMP snooping policy, choose the TN_D tenant > Policies > Protocols, then right-click on IGMP Snoop and click Create IGMP Snoop Policy.
- For the new IGMP snooping policy ('TN_D_IGMP_snooping_POL'), check the Enable querier check box, then click Submit.
Note: The Enable querier setting is only required if the BD subnet is configured with Querier IP. If the IGMP querier is outside of the ACI, this configuration is not required.
- In order to attach the new IGMP policy to the BD, choose TN_D > Networking > Bridge Domain > 'L2_Mcast_BD' and choose the new IGMP snoop policy from the IGMP Snoop Policy drop-down list. Click Submit in order to apply the changes.
- In order to enable the IGMP querier for the BD subnet, choose the subnet and check the Querier IP check box.
lf101# show ip igmp snooping querier Vlan IP Address Version Expires Port 21 10.100.0.254 v3 00:01:06 Switch querier
lf102# show ip igmp snooping querier Vlan IP Address Version Expires Port 19 10.100.0.254 v3 00:01:46 Switch querier
Verify
Use this section to confirm that your configuration works properly.
This MO query command shows that the IGMP querrier policy has the querrier enabled.
apic1# moquery -d uni/tn-TN_D/snPol-TN_D_IGMP_snooping_POL Total Objects shown: 1 # igmp.SnoopPol name : TN_D_IGMP_snooping_POL adminSt : enabled annotation : childAction : ctrl : querier descr : dn : uni/tn-TN_D/snPol-TN_D_IGMP_snooping_POL extMngdBy : lastMbrIntvl : 1 lcOwn : local modTs : 2022-01-26T19:32:18.660+00:00 nameAlias : ownerKey : ownerTag : queryIntvl : 125 rn : snPol-TN_D_IGMP_snooping_POL rspIntvl : 10 startQueryCnt : 2 startQueryIntvl : 31 status : uid : 15374
This MO query command shows that the IGMP querrier is also enabled on the BD subnet.
apic1# moquery -c fvSubnet -f 'fv.Subnet.ip=="10.100.0.254/24"' Total Objects shown: 1 # fv.Subnet ip : 10.100.0.254/24 annotation : childAction : ctrl : querier <<<IGMP querier enabled. descr : dn : uni/tn-TN_D/BD-L2_Mcast_BD/subnet-[10.100.0.254/24] extMngdBy : lcOwn : local modTs : 2021-12-28T19:28:54.860+00:00 monPolDn : uni/tn-common/monepg-default name : nameAlias : preferred : no rn : subnet-[10.100.0.254/24] scope : private status : uid : 15374 virtual : no
This MO query command shows the verification for the BD configuration.
apic1# moquery -c fvBD -f "fv.BD.name==\"L2_Mcast_BD\"" Total Objects shown: 1 # fv.BD name : L2_Mcast_BD OptimizeWanBandwidth : no annotation : arpFlood : yes bcastP : 225.1.156.240 childAction : configIssues : descr : dn : uni/tn-TN_D/BD-L2_Mcast_BD epClear : no epMoveDetectMode : extMngdBy : hostBasedRouting : no intersiteBumTrafficAllow : no intersiteL2Stretch : no ipLearning : yes ipv6McastAllow : no lcOwn : local limitIpLearnToSubnets : yes llAddr : :: mac : 00:22:BD:F8:19:FF mcastAllow : no modTs : 2021-12-25T23:47:57.717+00:00 monPolDn : uni/tn-common/monepg-default mtu : inherit multiDstPktAct : bd-flood nameAlias : ownerKey : ownerTag : pcTag : 49154 rn : BD-L2_Mcast_BD scope : 2490368 seg : 16351140 status : type : regular uid : 15374 unicastRoute : yes unkMacUcastAct : proxy unkMcastAct : flood v6unkMcastAct : flood vmac : not-applicable
This output shows the verification that leaf-101 is connected to the multicast source 10.100.0.10.
lf101# show endpoint ip 10.100.0.10 detail
Legend:
s - arp H - vtep V - vpc-attached p - peer-aged
R - peer-attached-rl B - bounce S - static M - span
D - bounce-to-proxy O - peer-attached a - local-aged m - svc-mgr
L - local E - shared-service
+-----------------------------------+---------------+-----------------+--------------+-------------+------------------------------+
VLAN/ Encap MAC Address MAC Info/ Interface Endpoint Group
Domain VLAN IP Address IP Info Info
+-----------------------------------+---------------+-----------------+--------------+-------------+------------------------------+
20 vlan-1900 0011.0100.0001 L eth1/47 TN_D:Multicast_Servers:L2_Mcast_EPG
TN_D:VRF_A vlan-1900 10.100.0.10 L eth1/47
This output shows the verification that leaf-102 is connected to the multicast receiver 10.100.0.20.
lf102# show endpoint ip 10.100.0.20 detail
Legend:
s - arp H - vtep V - vpc-attached p - peer-aged
R - peer-attached-rl B - bounce S - static M - span
D - bounce-to-proxy O - peer-attached a - local-aged m - svc-mgr
L - local E - shared-service
+-----------------------------------+---------------+-----------------+--------------+-------------+------------------------------+
VLAN/ Encap MAC Address MAC Info/ Interface Endpoint Group
Domain VLAN IP Address IP Info Info
+-----------------------------------+---------------+-----------------+--------------+-------------+------------------------------+
17 vlan-1900 0011.0200.0001 L eth1/47 TN_D:Multicast_Servers:L2_Mcast_EPG
TN_D:VRF_A vlan-1900 10.100.0.20 L eth1/47
Explanation of the L2 Multicast Packet Flow
- Leaf-101 receives the multicast packet from the multicast source.
- This image shows the EPG pcTag:
- You can use Embedded Logic Analyzer Module (ELAM), an inbuilt capture tool, to capture the incoming packet. This output shows the leaf-101 ELAM capture and output. The ELAM syntax is dependent on the type of hardware. In this lab, the ELAM output is from an FX switch. Another approach is to use the ELAM Assistant app.
lf101# vsh_lc
module-1# debug platform internal roc elam asic 0
module-1(DBG-elam)# trigger reset
module-1(DBG-elam)# trigger init in-select 6 out-select 0
module-1(DBG-elam-insel6)# set outer ipv4 src_ip 10.100.0.10 dst_ip 239.100.0.10
module-1(DBG-elam-insel6)# start
module-1(DBG-elam-insel6)# status
ELAM STATUS
===========
Asic 0 Slice 0 Status Triggered
module-1(DBG-elam-insel6)#
module-1(DBG-elam-insel6)# ereport
Python available. Continue ELAM decode with LC Pkg
ELAM REPORT
<snip..>
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer Packet Attributes
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer Packet Attributes : l2mc ipv4 ip ipmc ipv4mc udp
Opcode : OPCODE_L3MC
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L2 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
Destination MAC : 0100.5E64.000A <<<Multicast Group mac address. It always start with 0100.5E(24bits) (last 24Bits are HEX value of last 3 octets of Multicast Group IP which is 239.100.0.10)
Source MAC : 0011.0100.0001 <<<Multicast source mac address.
802.1Q tag is valid : no( 0x0 )
CoS : 0( 0x0 )
Access Encap VLAN : 0( 0x0 )
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
L3 Type : IPv4
IP Version : 4
DSCP : 0
IP Packet Length : 1362 ( = IP header(28 bytes) + IP payload )
Don't Fragment Bit : not set
TTL : 64
IP Protocol Number : UDP
IP CheckSum : 31679( 0x7BBF )
Destination IP : 239.100.0.10 <<<Multicast Group address as destination.
Source IP : 10.100.0.10 <<<Multicast source IPv4 address.
<snip...>
------------------------------------------------------------------------------------------------------------------------------------------------------
Sideband SB Multicast Information
------------------------------------------------------------------------------------------------------------------------------------------------------
BD : 11266( 0x2C02 )
Source is l3 interface : no
FTAG : 4( 0x4 ) <<< FTAG value 4 assigned by lf101
<snip..>
- Once leaf-101 receives this traffic, it is encapsulated to a BD Group IP Outer (GIPO) address and FTAG value, and sent to Spine for Spine Lookup. This image shows the BD GIPO address 225.1.156.240.
The FTAG ids are assigned based on the payload hash algorithm (0 to 12). The FTAG value is unpredictable and not the same value even if the leaf node and destination BD GiPO are the same.
The binary of 225.1.156.140 = 11100001.00000001.10011100.11110000
The last 4 bits of the last octal value of the destination GIPO is '0000' so the last 4 bits (between 0 to 12) gets added to the FTAG value.
This output shows the GIPO routes and out interface (OIF) list.
lf101# show isis internal mcast routes gipo
IS-IS process: isis_infra
VRF : default
GIPo Routes
====================================
System GIPo - Configured: 0.0.0.0
Operational: 239.255.255.240
====================================
GIPo: 225.0.0.0 [LOCAL]
OIF List:
Ethernet1/49.14
GIPo: 225.0.73.208 [TRANSIT]
OIF List:
GIPo: 225.1.110.160 [LOCAL]
OIF List:
Ethernet1/49.14
GIPo: 225.1.149.64 [LOCAL]
OIF List:
Ethernet1/49.14
GIPo: 225.1.156.240 [LOCAL]
OIF List:
Ethernet1/49.14
GIPo: 225.1.179.176 [TRANSIT]
OIF List:
GIPo: 225.1.192.0 [TRANSIT]
OIF List:
GIPo: 239.255.255.224 [LOCAL]
OIF List:
Ethernet1/49.14
GIPo: 239.255.255.240 [LOCAL]
OIF List:
Ethernet1/49.14
This output shows the FTAG value and OIF list.
lf101# show isis internal mcast routes ftag
IS-IS process: isis_infra
VRF : default
FTAG Routes
====================================
System ftag order: NEW
Phantom Spine Capable: NO
FTAG ID: 0 [Enabled] Cost:( 1/ 13/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 1 [Enabled] Cost:( 1/ 1/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 2 [Enabled] Cost:( 1/ 2/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 3 [Enabled] Cost:( 1/ 3/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 4 [Enabled] Cost:( 1/ 4/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 5 [Enabled] Cost:( 1/ 5/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 6 [Enabled] Cost:( 1/ 6/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 7 [Enabled] Cost:( 1/ 7/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 8 [Enabled] Cost:( 1/ 8/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 9 [Enabled] Cost:( 1/ 9/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 10 [Enabled] Cost:( 1/ 10/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 11 [Enabled] Cost:( 1/ 11/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 12 [Enabled] Cost:( 1/ 12/ 0)
----------------------------------
Root port: Ethernet1/49.14
OIF List:
FTAG ID: 13 [Disabled]
FTAG ID: 14 [Disabled]
FTAG ID: 15 [Disabled]
- This image shows the Spine-201 ELAM capture and output.
- In this case, this output shows the FTAG value 4 added to last 4 bits of BD GIPO in the received packet from leaf-101.
Spine201# vsh_lc <<< (OR "ssh root@lcX" if spine is modular). (Please engage TAC for spine ELAM)
module-1# debug platform internal roc elam asic 0
module-1(DBG-elam)# trigger reset
module-1(DBG-elam)# trigger init in-select 14 out-select 0
module-1(DBG-elam-insel6)# set inner ipv4 src_ip 10.100.0.10 dst_ip 239.100.0.10
module-1(DBG-elam-insel6)# start
module-1(DBG-elam-insel6)# status
module-1(DBG-elam-insel6)# ereport
------------------------------------------------------------------------------------------------------------------------------------------------------ Inner L2 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ Inner Destination MAC : 0100.5E64.000A Source MAC : 0011.0100.0001 802.1Q tag is valid : no CoS : 0 Access Encap VLAN : 0 ------------------------------------------------------------------------------------------------------------------------------------------------------ Outer L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 32 IP Protocol Number : UDP Destination IP : 225.1.156.244 <<<< BD GIPO + FTAG 4 (binary 11100001.00000001.10011100.11110100) Source IP : 10.1.160.64 <<<< Leaf 101 infra TEP address ------------------------------------------------------------------------------------------------------------------------------------------------------ Inner L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 64 IP Protocol Number : UDP Destination IP : 239.100.0.10 Source IP : 10.100.0.10 <snip...>
------------------------------------------------------------------------------------------------------------------------------------------------------ Sideband SB Multicast Information ------------------------------------------------------------------------------------------------------------------------------------------------------ BD : 3( 0x3 ) Source is l3 interface : no FTAG : 4( 0x4 ) <snip...>
- Spine-201 then looks at its own GIPO route and FTAG value to find the OIF list to foward the packet.
- Use this command to find the OIF list for the BD GIPO.
sp201# show isis internal mcast routes gipo
IS-IS process: isis_infra
VRF : default
GIPo Routes
====================================
System GIPo - Configured: 0.0.0.0
Operational: 239.255.255.240
====================================
GIPo: 225.0.0.0 [TRANSIT]
OIF List:
Ethernet1/2.35
Ethernet1/1.36
GIPo: 225.0.0.16 [TRANSIT]
OIF List:
<snip..>
GIPo: 225.1.156.240 [TRANSIT]
OIF List:
Ethernet1/2.35
Ethernet1/1.36
<snip...>
sp201# show isis internal mcast routes ftag
IS-IS process: isis_infra
VRF : default
FTAG Routes
====================================
System ftag order: NEW
System ftag preference: 2
Max Fabric System ftag preference: 2
Phantom Spine Capable: NO
FTAG ID: 0 [Root] [Enabled] Cost:( 0/ 0/ 0)
----------------------------------
Root port: -
OIF List:
Ethernet1/2.35
Ethernet1/1.36
FTAG ID: 1 [Root] [Enabled] Cost:( 0/ 0/ 0)
----------------------------------
Root port: -
OIF List:
Ethernet1/2.35
Ethernet1/1.36
FTAG ID: 2 [Root] [Enabled] Cost:( 0/ 0/ 0)
----------------------------------
Root port: -
OIF List:
Ethernet1/2.35
Ethernet1/1.36
FTAG ID: 3 [Root] [Enabled] Cost:( 0/ 0/ 0)
----------------------------------
Root port: -
OIF List:
Ethernet1/2.35
Ethernet1/1.36
FTAG ID: 4 [Root] [Enabled] Cost:( 0/ 0/ 0)
----------------------------------
Root port: -
OIF List:
Ethernet1/2.35 <<<Spine only foward packet to (N-1) from OIF List of interfaces (it do not forward packet toward link/leaf from which it has received a packet)
Ethernet1/1.36
<snip...>
sp201# show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
lf101 Eth1/1 120 BR Eth1/49 <<< Spine received packet from Leaf 101
lf102 Eth1/2 120 BR Eth1/49 <<< forward packet to Leaf 102 (and not back to Leaf 101)
Total entries displayed: 2
- The Leaf-102 receives the packets and looks for the snoop table entry, then fowards the packet to the multicast receiver.
- This command shows the ELAM capture command output to verify that the multicast packet is received from spine.
lf102# vsh_lc module-1# debug platform internal roc elam asic 0 module-1(DBG-elam)# trigger reset module-1(DBG-elam)# trigger init in-select 14 out-select 0 module-1(DBG-elam-insel14)# set inner ipv4 src_ip 10.100.0.10 dst_ip 239.100.0.10 module-1(DBG-elam-insel14)# start module-1(DBG-elam-insel14)# status ELAM STATUS =========== Asic 0 Slice 0 Status Triggered module-1(DBG-elam-insel14)# ereport ------------------------------------------------------------------------------------------------------------------------------------------------------ Outer L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 31 IP Protocol Number : UDP Destination IP : 225.1.156.244 Source IP : 10.1.160.64 ------------------------------------------------------------------------------------------------------------------------------------------------------ Inner L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 64 IP Protocol Number : UDP Destination IP : 239.100.0.10 Source IP : 10.100.0.10 ------------------------------------------------------------------------------------------------------------------------------------------------------
- Leaf-102 looks at the IGMP snoop entry to foward the packet toward the multicast receiver.
lf102# show ip igmp snooping group Type: S - Static, D - Dynamic, R - Router port, F - Fabricpath core port Vlan Group Address Ver Type Port list 16 239.100.0.10 v2 D Eth1/47
IGMP Querier Requirement
The IGMP querier requirements include:
- The IGMP snooping mandates an IGMP querier for proper operation, in order to avoid the silent discard of the group.
- A Protocol Independent Multicast (PIM) router can act as querier to send the IGMP query anyway.
- In the case of pure L2 multicast with no PIM router in the BD at all, we can enable an IGMP querier function to send the query without running PIM.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Use these commands to troubleshoot L2 IGMP issues:
show endpoints IP <mcast src/dst IP> detailshow ip igmp snoop groups vlan xshow ip igmp snoop groups vlan x detailshow ip igmp snooping mroutermoquery -c fmcast.Grp
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
28-Feb-2022 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)