Configuring IGMP Snooping

This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on a Cisco NX-OS device.

About IGMP Snooping


Note

We recommend that you do not disable IGMP snooping on the device. If you disable IGMP snooping, you might see reduced multicast performance because of excessive false flooding within the device.

IGMP snooping software examines Layer 2 IP multicast traffic within a VLAN to discover the ports where interested receivers reside. Using the port information, IGMP snooping can reduce bandwidth consumption in a multi-access LAN environment to avoid flooding the entire VLAN. IGMP snooping tracks which ports are attached to multicast-capable routers to help the routers forward IGMP membership reports. The IGMP snooping software responds to topology change notifications. By default, IGMP snooping is enabled on the device.

This figure shows an IGMP snooping switch that sits between the host and the IGMP router. The IGMP snooping switch snoops the IGMP membership reports and Leave messages and forwards them only when necessary to the connected IGMP routers.

Figure 1. IGMP Snooping Switch

The IGMP snooping software operates upon IGMPv1, IGMPv2, and IGMPv3 control plane packets where Layer 3 control plane packets are intercepted and influence the Layer 2 forwarding behavior.

The Cisco NX-OS IGMP snooping software has the following proprietary features:

  • Source filtering that allows forwarding of multicast packets based on destination and source IP addresses

  • Multicast forwarding based on IP addresses rather than the MAC address

  • Multicast forwarding alternately based on the MAC address

For more information about IGMP snooping, see RFC 4541.

IGMPv1 and IGMPv2

Both IGMPv1 and IGMPv2 support membership report suppression, which means that if two hosts on the same subnet want to receive multicast data for the same group, the host that receives a member report from the other host suppresses sending its report. Membership report suppression occurs for hosts that share a port.

If no more than one host is attached to each VLAN switch port, you can configure the fast leave feature in IGMPv2. The fast leave feature does not send last member query messages to hosts. As soon as the software receives an IGMP leave message, the software stops forwarding multicast data to that port.

IGMPv1 does not provide an explicit IGMP leave message, so the software must rely on the membership message timeout to indicate that no hosts remain that want to receive multicast data for a particular group.


Note

The software ignores the configuration of the last member query interval when you enable the fast leave feature because it does not check for remaining hosts.

IGMPv3

The IGMPv3 snooping implementation on Cisco NX-OS supports full IGMPv3 snooping, which provides constrained flooding based on the (S, G) information in the IGMPv3 reports. This source-based filtering enables the device to constrain multicast traffic to a set of ports based on the source that sends traffic to the multicast group.

By default, the software tracks hosts on each VLAN port. The explicit tracking feature provides a fast leave mechanism. Because every IGMPv3 host sends membership reports, report suppression limits the amount of traffic that the device sends to other multicast-capable routers. When report suppression is enabled, and no IGMPv1 or IGMPv2 hosts requested the same group, the software provides proxy reporting. The proxy feature builds the group state from membership reports from the downstream hosts and generates membership reports in response to queries from upstream queriers.

Even though the IGMPv3 membership reports provide a full accounting of group members on a LAN segment, when the last host leaves, the software sends a membership query. You can configure the parameter last member query interval. If no host responds before the timeout, the software removes the group state.

IGMP Snooping Querier

When PIM is not enabled on an interface because the multicast traffic does not need to be routed, you must configure an IGMP snooping querier to send membership queries. You define the querier in a VLAN that contains multicast sources and receivers but no other active querier.

The querier can be configured to use any IP address in the VLAN.

As a best practice, a unique IP address, one that is not already used by the switch interface or the Hot Standby Router Protocol (HSRP) virtual IP address, should be configured so as to easily reference the querier.


Note

The IP address for the querier should not be a broadcast IP address, multicast IP address, or 0 (0.0.0.0).

When an IGMP snooping querier is enabled, it sends out periodic IGMP queries that trigger IGMP report messages from hosts that want to receive IP multicast traffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding.

The IGMP snooping querier performs querier election as described in RFC 2236. Querier election occurs in the following configurations:

  • When there are multiple switch queriers configured with the same subnet on the same VLAN on different switches.

  • When the configured switch querier is in the same subnet as with other Layer 3 SVI queriers.

Virtualization Support

You can define multiple virtual routing and forwarding (VRF) instances for IGMP snooping.

You can use the show commands with a VRF argument to provide a context for the information displayed. The default VRF is used if no VRF argument is supplied.

For information about configuring VRFs, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.

Prerequisites for IGMP Snooping

IGMP snooping has the following prerequisites:

  • You are logged onto the device.

  • For global commands, you are in the correct virtual routing and forwarding (VRF) mode. The default configuration mode shown in the examples in this chapter applies to the default VRF.

Guidelines and Limitations for IGMP Snooping

IGMP snooping has the following guidelines and limitations:

  • Cisco Nexus 9000 Series switches support IGMP snooping for IPv4 but do not support MLD snooping for IPv6.

  • IGMP snooping is not supported with PVLAN.

  • Layer 3 IPv6 multicast routing is not supported.

  • Layer 2 IPv6 multicast packets will be flooded on the incoming VLAN.

  • Cisco Nexus 9508 and 9504 platform switches with N9K-X9636C-R, N9K-X9636Q-R, and N9K-X9636C-RX line cards support IGMP snooping with vPCs.

  • IGMP snooping configuration must be identical on both vPC peers in a vPC pair. Either enable or disable IGMP snooping on both vPC peers.


    Note
    Enabling or disabling IGMP snooping on both vPC peers also enables the forwarding of IGMP queries from different MVR source VLANs into the same MVR receiver VLAN. The resulting IGMP queries may send out queries with different versions and query interval. If you prefer to maintain the behavior prior to Cisco NX-OS Release 7.0(3)I3(1) use the mvr-suppress-query vlan <id> command.

  • In releases prior to Cisco NX-OS Release 7.0(3)I3(1) if you are configuring vPC peers, the differences in the IGMP snooping configuration options between the two devices have the following results:

    • If IGMP snooping is enabled on one device but not on the other, the device on which snooping is disabled floods all multicast traffic.

    • A difference in multicast router or static group configuration can cause traffic loss.

    • The fast leave, explicit tracking, and report suppression options can differ if they are used for forwarding traffic.

    • If a query parameter is different between the devices, one device expires the multicast state faster while the other device continues to forward. This difference results in either traffic loss or forwarding for an extended period.

    • If an IGMP snooping querier is configured on both devices, only one of them will be active because an IGMP snooping querier shuts down if a query is seen in the traffic.

  • You must enable the ip igmp snooping group-timeout command when you use the ip igmp snooping proxy general-queries command. We recommend that you set it to "never". Otherwise, you might experience multicast packet loss.

  • The command "ip igmp snooping proxy general-queries" generates G reports and not (S,G) information report.

  • All external multicast router ports (either statically configured or dynamically learned) use the global ltl index. As a result, traffic in VLAN X goes out on the multicast router ports in both VLAN X and VLAN Y, in case both multicast router ports (Layer 2 trunks) carry both VLAN X and VLAN Y.

  • When you modify the route-map to deny the multicast group, which is statically bound to the interface; the subsequent IGMP reports are rejected by the local groups and the groups start ageing. The IGMP leave message for the groups is allowed without any impact. This is a known and expected behaviour.

Default Settings

Parameters

Default

IGMP snooping

Enabled

Explicit tracking

Enabled

Fast leave

Disabled

Last member query interval

1 second

Snooping querier

Disabled

Report suppression

Enabled

Link-local groups suppression

Enabled

Optimise-multicast-flood

Disabled

IGMPv3 report suppression for the entire device

Disabled

IGMPv3 report suppression per VLAN

Enabled

Configuring IGMP Snooping Parameters


Note
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Note
You must enable IGMP snooping globally before any other commands take effect.

Configuring Global IGMP Snooping Parameters

To affect the operation of the IGMP snooping process globally, you can configure various optional IGMP snooping parameters.

Notes for IGMP Snooping Parameters

  • IGMP Snooping Proxy parameter

    To decrease the burden placed on the snooping switch during each IGMP general query (GQ) interval, the Cisco NX-OS software provides a way to decouple the periodic general query behavior of the IGMP snooping switch from the query interval configured on the multicast routers.

    You can configure the device to consume IGMP general queries from the multicast router, rather than flooding the general queries to all the switchports. When the device receives a general query, it produces proxy reports for all currently active groups and distributes the proxy reports over the period specified by the MRT that is specified in the router query. At the same time, independent of the periodic general query activity of the multicast router, the device sends an IGMP general query on each port in the VLAN in a round-robin fashion. It cycles through all the interfaces in the VLAN at the rate given by the following formula.

    Rate = {number of interfaces in VLAN} * {configured MRT} * {number of VLANs}

    When queries are run in this mode, the default MRT value is 5,000 milliseconds (5 seconds). For a device that has 500 switchports in a VLAN, it would take 2,500 seconds (40 minutes) to cycle through all the interfaces in the system. This is also true when the device itself is the querier.

    This behavior ensures that only one host responds to a general query at a given time, and it keeps the simultaneous reporting rate below the packet-per-second IGMP capability of the device (approximately 3,000 to 4,000 pps).


    Note

    When you use this option, you must change the ip igmp snooping group-timeout parameter to a high value or to never time out.

    The ip igmp snooping proxy general-queries [mrt] command causes the snooping function to proxy reply to general queries from the multicast router while also sending round-robin general queries on each switchport with the specified MRT value. (The default MRT value is 5 seconds.)

  • IGMP Snooping Group-timeout parameter

    Configuring the group-timeout parameter disables the behavior of an expiring membership based on three missed general queries. Group membership remains on a given switchport until the device receives an explicit IGMP leave on that port.

    The ip igmp snooping group-timeout {timeout | never} command modifies or disables the behavior of an expiring IGMP snooping group membership after three missed general queries.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Use the following commands to configure global IGMP snooping parameters.

Option Description
ip igmp snooping 


switch(config)# ip igmp snooping

Enables IGMP snooping for the device. The default is enabled.

Note

 

If the global setting is disabled with the no form of this command, IGMP snooping on all VLANs is disabled, whether IGMP snooping is enabled on a VLAN or not. If you disable IGMP snooping, Layer 2 multicast frames flood to all modules.

ip igmp snooping event-history 


switch(config)# ip igmp snooping event-history

Configures the size of the event history buffer. The default is small.

ip igmp snooping group-timeout {minutes | never} 


switch(config)# ip igmp snooping group-timeout never

Configures the group membership timeout value for all VLANs on the device.

ip igmp snooping link-local-groups-suppression 


switch(config)# ip igmp snooping link-local-groups-suppression

Configures link-local groups suppression for the entire device. The default is enabled.

ip igmp snooping optimise-multicast-flood 


switch(config)# ip igmp snooping optimise-multicast-flood

Optimizes optimized multicast flooding (OMF) on all VLANs on the device. The default is disabled.
ip igmp snooping proxy general-inquiries [mrt seconds] 


switch(config)# ip igmp snooping proxy general-inquiries

Configures the IGMP snooping proxy for the device. The default is 5 seconds.

ip igmp snooping v3-report-suppression 


switch(config)# ip igmp snooping v3-report-suppression

Limits the membership report traffic sent to multicast-capable routers. When you disable report suppression, all IGMP reports are sent as-is to multicast-capable routers. The default is enabled.

ip igmp snooping report-suppression 


switch(config)# ip igmp snooping report-suppression

Configures IGMPv3 report suppression and proxy reporting. The default is disabled.

Step 3

copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring IGMP Snooping Parameters per VLAN

To affect the operation of the IGMP snooping process per VLAN, you can configure various optional IGMP snooping parameters.


Note

You configure the IGMP snooping parameters that you want by using this configuration mode; however, the configurations apply only after you specifically create the specified VLAN. See the Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide for information on creating VLANs.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

ip igmp snooping

Example:

switch(config)# ip igmp snooping

Enables IGMP snooping. The default is enabled.

Note

 

If the global setting is disabled with the no form of this command, IGMP snooping on all VLANs is disabled, whether IGMP snooping is enabled on a VLAN or not. If you disable IGMP snooping, Layer 2 multicast frames flood to all modules.

Step 3

vlan configuration vlan-id

Example:

switch(config)# vlan configuration 2
switch(config-vlan-config)#

Configures the IGMP snooping parameters you want for the VLAN. These configurations do not apply until you create the specified VLAN.

Step 4

Use the following commands to configure IGMP snooping parameters per VLAN.

Option Description
ip igmp snooping 


switch(config-vlan-config)# ip igmp snooping

Enables IGMP snooping for the current VLAN. The default is enabled.

ip igmp snooping access-group {prefix-list | route-map} policy-name interface interface slot/port 


switch(config-vlan-config)# ip igmp snooping access-group prefix-list plist interface ethernet 2/2

Configures a filter for IGMP snooping reports that is based on a prefix-list or route-map policy. The default is disabled.

Note

 

Cisco Nexus 9508 switches with the N9K-X9636C-R, N9K-X9636C-RX, and N9K-X9636Q-R line cards support this command beginning with Cisco NX-OS Release 7.0(3)F3(1).

ip igmp snooping explicit-tracking 


switch(config-vlan-config)# ip igmp snooping explicit-tracking

Tracks IGMPv3 membership reports from individual hosts for each port on a per-VLAN basis. The default is enabled on all VLANs.

ip igmp snooping fast-leave 


switch(config-vlan-config)# ip igmp snooping fast-leave

Supports IGMPv2 hosts that cannot be explicitly tracked because of the host report suppression mechanism of the IGMPv2 protocol. When you enable fast leave, the IGMP software assumes that no more than one host is present on each VLAN port. The default is disabled for all VLANs.

ip igmp snooping group-timeout {minutes | never} 


switch(config-vlan-config)# ip igmp snooping group-timeout never

Configures the group membership timeout for the specified VLANs.

ip igmp snooping last-member-query-interval seconds 


switch(config-vlan-config)# ip igmp snooping last-member-query-interval 3

Removes the group from the associated VLAN port if no hosts respond to an IGMP query message before the last member query interval expires. Values range from 1 to 25 seconds. The default is 1 second.

ip igmp snooping proxy general-queries [mrt seconds] 


switch(config-vlan-config)# ip igmp snooping proxy general-queries

Configures an IGMP snooping proxy for specified VLANs. The default is 5 seconds.

[no] ip igmp snooping proxy-leave use-group-address 


switch(config-vlan-config)# ip igmp snooping proxy-leave use-group-address

Changes the destination address of proxy leave messages to the address of the group that is leaving.

Normally, IGMP proxy leave messages generated by the IGMP snooping module use the 224.0.0.2 multicast router address when all hosts leave the group. You should implement this configuration if your multicast applications rely on receiving reports and leave messages to start or stop multicast traffic based on the destination address of the packet.

ip igmp snooping querier ip-address 


switch(config-vlan-config)# ip igmp snooping querier 172.20.52.106

Configures a snooping querier when you do not enable PIM because multicast traffic does not need to be routed. The IP address is used as the source in messages.

ip igmp snooping querier-timeout seconds 


switch(config-vlan-config)# ip igmp snooping querier-timeout 300

Configures a snooping querier timeout value for IGMPv2 when you do not enable PIM because multicast traffic does not need to be routed. The default is 255 seconds.

ip igmp snooping query-interval seconds 


switch(config-vlan-config)# ip igmp snooping query-interval 120

Configures a snooping query interval when you do not enable PIM because multicast traffic does not need to be routed. The default value is 125 seconds.

ip igmp snooping query-max-response-time seconds 


switch(config-vlan-config)# ip igmp snooping query-max-response-time 12

Configures a snooping MRT for query messages when you do not enable PIM because multicast traffic does not need to be routed. The default value is 10 seconds.

[no] ip igmp snooping report-flood {all | interface ethernet slot/port} 


switch(config-vlan-config)# ip igmp snooping report-flood interface ethernet 1/2
ip igmp snooping report-flood interface ethernet 1/3

Floods IGMP reports on all active interfaces of the VLAN or only on specific interfaces.

IGMP reports typically are forwarded to multicast router ports as detected by the IGMP snooping module and are not flooded in the VLAN. However, this command forces the switch to send IGMP reports to custom ports belonging to the VLAN in addition to the multicast router ports. You should implement this configuration if your multicast applications require the ability to view IGMP reports in order to transmit traffic.

ip igmp snooping report-policy {prefix-list | route-map} policy-name interface interface slot/port 


switch(config-vlan-config)# ip igmp snooping report-policy route-map rmap interface ethernet 2/4

Configures a filter for IGMP snooping reports that is based on a prefix-list or route-map policy. The default is disabled.
ip igmp snooping startup-query-count value 


switch(config-vlan-config)# ip igmp snooping startup-query-count 5

Configures snooping for a number of queries sent at startup when you do not enable PIM because multicast traffic does not need to be routed.

ip igmp snooping startup-query-interval seconds 


switch(config-vlan-config)# ip igmp snooping startup-query-interval 15000

Configures a snooping query interval at startup when you do not enable PIM because multicast traffic does not need to be routed.

ip igmp snooping robustness-variable value 


switch(config-vlan-config)# ip igmp snooping robustness-variable 5

Configures the robustness value for the specified VLANs. The default value is 2.

ip igmp snooping report-suppression 


switch(config-vlan-config)# ip igmp snooping report-suppression

Limits the membership report traffic sent to multicast-capable routers. When you disable report suppression, all IGMP reports are sent as-is to multicast-capable routers. The default is enabled.

ip igmp snooping mrouter interface interface 


switch(config-vlan-config)# ip igmp snooping mrouter interface ethernet 2/1

Configures a static connection to a multicast router. The interface to the router must be in the selected VLAN. You can specify the interface by the type and the number, such as ethernet slot/port .

ip igmp snooping static-group group-ip-addr [source source-ip-addr] interface interface 


switch(config-vlan-config)# ip igmp snooping static-group 230.0.0.1 interface ethernet 2/1

Configures the Layer 2 port of a VLAN as a static member of a multicast group. You can specify the interface by the type and the number, such as ethernet slot/port .

ip igmp snooping link-local-groups-suppression 


switch(config-vlan-config)# ip igmp snooping link-local-groups-suppression

Configures link-local groups suppression for the specified VLANs. The default is enabled.

ip igmp snooping v3-report-suppression 


switch(config-vlan-config)# ip igmp snooping v3-report-suppression

Configures IGMPv3 report suppression and proxy reporting for the specified VLANs. The default is enabled per VLAN.

ip igmp snooping version value 


switch(config-vlan-config)# ip igmp snooping version 2

Configures the IGMP version number for the specified VLANs.

Step 5

copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Verifying the IGMP Snooping Configuration

Command Description

show ip igmp snooping [vlan vlan-id]

Displays the IGMP snooping configuration by VLAN.

show ip igmp snooping groups [source [group] | group [source]] [vlan vlan-id] [detail]

Displays IGMP snooping information about groups by VLAN.

show ip igmp snooping querier [vlan vlan-id]

Displays IGMP snooping queriers by VLAN.

show ip igmp snooping mroute [vlan vlan-id]

Displays multicast router ports by VLAN.

show ip igmp snooping explicit-tracking [vlan vlan-id] [detail]

Displays IGMP snooping explicit tracking information by VLAN.

Note

 

For vPC VLANs, you must enter the detail keyword to display this command on both vPC peer switches, beginning with Cisco NX-OS Release 7.0(3)I7(1). If you do not enter the detail keyword, this command displays only on the vPC switch that received the native report.

Displaying IGMP Snooping Statistics

You can display the IGMP snooping statistics using these commands.

Command

Description

show ip igmp snooping statistics vlan

Displays IGMP snooping statistics. You can see the virtual port channel (vPC) statistics in this output.

show ip igmp snooping {report-policy | access-group} statistics [vlan vlan]

Displays detailed statistics per VLAN when IGMP snooping filters are configured.

Clearing IGMP Snooping Statistics

You can clear the IGMP snooping statistics using these commands.

Command

Description

clear ip igmp snooping statistics vlan

Clears the IGMP snooping statistics.

clear ip igmp snooping {report-policy | access-group} statistics [vlan vlan]

Clears the IGMP snooping filter statistics.

Configuration Examples for IGMP Snooping


Note
The configurations in this section apply only after you create the specified VLAN. See the Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide for information on creating VLANs.

The following example shows how to configure the IGMP snooping parameters: 


config t
  ip igmp snooping
  vlan configuration 2
    ip igmp snooping
    ip igmp snooping explicit-tracking
    ip igmp snooping fast-leave
    ip igmp snooping last-member-query-interval 3
    ip igmp snooping querier 172.20.52.106
    ip igmp snooping report-suppression
    ip igmp snooping mrouter interface ethernet 2/1
    ip igmp snooping static-group 230.0.0.1 interface ethernet 2/1
    ip igmp snooping link-local-groups-suppression
    ip igmp snooping v3-report-suppression

The following example shows how to configure prefix lists and use them to filter IGMP snooping reports: 


ip prefix-list plist seq 5 permit 224.1.1.1/32 
ip prefix-list plist seq 10 permit 224.1.1.2/32 
ip prefix-list plist seq 15 deny 224.1.1.3/32  
ip prefix-list plist seq 20 deny 225.0.0.0/8 eq 32

vlan configuration 2
  ip igmp snooping report-policy prefix-list plist interface Ethernet 2/2
  ip igmp snooping report-policy prefix-list plist interface Ethernet 2/3

In the above example, the prefix-list permits 224.1.1.1 and 224.1.1.2 but rejects 224.1.1.3 and all the groups in the 225.0.0.0/8 range. The prefix-list is an implicit "deny" if there is no match. If you wish to permit everything else, add ip prefix-list plist seq 30 permit 224.0.0.0/4 eq 32.

The following example shows how to configure route maps and use them to filter IGMP snooping reports: 


route-map rmap permit 10
  match ip multicast group 224.1.1.1/32 
route-map rmap permit 20
  match ip multicast group 224.1.1.2/32 
route-map rmap deny 30
  match ip multicast group 224.1.1.3/32
route-map rmap deny 40
  match ip multicast group 225.0.0.0/8

vlan configuration 2
  ip igmp snooping report-policy route-map rmap interface Ethernet 2/4
  ip igmp snooping report-policy route-map rmap interface Ethernet 2/5

In the above example, the route-map permits 224.1.1.1 and 224.1.1.2 but rejects 224.1.1.3 and all the groups in the 225.0.0.0/8 range. The route-map is an implicit "deny" if there is no match. If you wish to permit everything else, add route-map rmap permit 50 match ip multicast group 224.0.0.0/4.