Usage Guidelines

The default of 60 seconds applies only to low-speed, NBMA media. Low speed is considered to be a rate of T1 or slower, as specified with the bandwidth interface configuration command. Note that for the purposes of EIGRP for IPv6, Frame Relay and Switched Multimegabit Data Service (SMDS) networks may be considered to be NBMA. These networks are considered NBMA if the interface has not been configured to use physical multicasting; otherwise, they are considered not to be NBMA.

Usage Guidelines

On very congested and large networks, the default hold time might not be sufficient time for all routers and access servers to receive hello packets from their neighbors. In this case, you may want to increase the hold time.

Cisco recommends that the hold time be at least three times the hello interval. If a router does not receive a hello packet within the specified hold time, routes through this router are considered unavailable.

Increasing the hold time delays route convergence across the network.

The default of 180 seconds hold time and 60 seconds hello interval apply only to low-speed, NBMA media. Low speed is considered to be a rate of T1 or slower, as specified with the bandwidth command.

Usage Guidelines

The first character of the name variable can be either a letter or a number. If you use a number, the operations you can perform (such as ping ) are limited.

Usage Guidelines

Use the ipv6 icmp error-interval command to limit the rate at which IPv6 ICMP error messages are sent. A token bucket algorithm is used with one token representing one IPv6 ICMP error message. Tokens are placed in the virtual bucket at a specified interval until the maximum number of tokens allowed in the bucket is reached.

The milliseconds argument specifies the time interval between tokens arriving in the bucket. The optional bucketsize argument is used to define the maximum number of tokens allowed in the bucket. Tokens are removed from the bucket when IPv6 ICMP error messages are sent, which means that if the bucketsize is set to 20, a rapid succession of 20 IPv6 ICMP error messages can be sent. When the bucket is empty of tokens, IPv6 ICMP error messages are not sent until a new token is placed in the bucket.

Use the show ipv6 traffic command to display IPv6 ICMP rate-limited counters.

Usage Guidelines

Use this command to apply a set of inspection rules to an interface.

Typically, if the interface connects to the external network, you apply the inspection rules to outbound traffic; alternately, if the interface connects to the internal network, you apply the inspection rules to inbound traffic.

If you apply the rules to outbound traffic, then return inbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an outbound packet.

If you apply the rules to inbound traffic, then return outbound packets will be permitted if they belong to a valid connection with existing state information. This connection must be initiated with an inbound packet.

Usage Guidelines

Use this command to turn on CBAC audit trail messages.

Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number).

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Usage Guidelines

To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name . Give each set of inspection rules a unique inspection-name , which should not exceed the 16-character limit. Define either one or two sets of rules per interface--you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for TCP, UDP, or Internet Control Message Protocol (ICMP) as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol. To remove the entire set of named inspection rules, use the no form of this command with the specified inspection name.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (destination unreachable, echo-reply, time-exceeded, and packet too big) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wild-card address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

FTP Inspection

Cisco IOS Firewall uses layer 7 support for application modules such as FTP.

Cisco IOS IPv6 Firewall uses RFC 2428 to garner IPv6 addresses and corresponding ports. If an address other than an IPv6 address is present, the FTP data channel is not opened.

IPv6-specific port-to-application mapping (PAM) provides FTP inspection. PAM translates TCP or UDP port numbers into specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations not defined by well-known ports. PAM delivers with the standard well-known ports defined as defaults.

The table below describes the transport-layer and network-layer protocols.

Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially-decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Usage Guidelines

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For User Datagram Protocol, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are included in the total number and rate measurements. Measurements are made once a minute.

When the rate of new connection attempts rises above a threshold (the one-minute high number), the software will delete half-open sessions as required to accommodate new connection attempts. The software will continue to delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (the one-minute low number). The rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period. (The rate is calculated as an exponentially decayed rate.)

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Usage Guidelines

An IPv6 source uses the routing header to list one or more intermediate nodes to be visited between the source and destination of the packet. The Cisco IOS firewall uses this header to retrieve the destination host address. Cisco IOS firewall will establish the appropriate inspection session based on the retrieved address from the routing header.

The originating node lists all intermediate nodes that the packet must traverse. The source and destination address pair in the IPv6 header identifies the hop between the originating node and the first intermediate node. Once the first intermediate node receives the packet, it looks for a routing header. If the routing header is present, the next intermediate node address is swapped with the destination address in the IPv6 header and the packet is forwarded to the next intermediate node. This sequence continues for each intermediate node listed in the routing until no more entries exist in the routing header. The last entry in the routing header is the final destination address.

Usage Guidelines

When the software detects a valid TCP packet that is the first in a session, and if Context-Based Access Control (CBAC) inspection is configured for the protocol of the packet, the software establishes state information for the new session.

Use this command to define how long a TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close. In a TCP connection, the client and the server terminate their end of the connection by sending a FIN message. The time that the client and the server wait for their FIN message to be acknowledged by each other before closing the sequence during a TCP connection is called the finwait time. The timeout that you set for the finwait time is referred to as the finwait timeout.

The global value specified for the finwait timeout applies to all TCP sessions inspected by CBAC.

Usage Guidelines

When the software detects a valid TCP packet that is the first in a session, and if Context-based Access Control (CBAC) inspection is configured for the packet’s protocol, the software establishes state information for the new session.

If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all TCP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ipv6 inspect name (global configuration) command.

Note

This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the TCP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.

Usage Guidelines

An unusually high number of half-open sessions with the same destination host address could indicate that a denial-of-service attack is being launched against the host. For TCP, "half-open" means that the session has not reached the established state.

Whenever the number of half-open sessions with the same destination host address rises above a threshold (the max-incomplete host number), the software will delete half-open sessions according to one of the following methods:

• If the block-time minutes timeout is 0 (the default):

The software will delete the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

• If the block-time minutes timeout is greater than 0:

The software will delete all existing half-open sessions for the host, and then block all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends.

The global values specified for the threshold and blocking time apply to all TCP connections inspected by Context-based Access Control (CBAC).

Usage Guidelines

Use this command to define how long Cisco IOS software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session’s first SYN bit is detected.

The global value specified for this timeout applies to all TCP sessions inspected by Context-based Access Control (CBAC).

Usage Guidelines

When the software detects a valid UDP packet, if Context-based Access Control (CBAC) inspection is configured for the packet’s protocol, the software establishes state information for a new UDP "session." Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the a period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

The global value specified for this timeout applies to all UDP sessions inspected by CBAC. This global value can be overridden for specific interfaces when you define a set of inspection rules with the ipv6 inspect name command.

Note

This command does not affect any of the currently defined inspection rules that have explicitly defined timeouts. Sessions created based on these rules still inherit the explicitly defined timeout value. If you change the UDP idle timeout with this command, the new timeout will apply to any new inspection rules you define or to any existing inspection rules that do not have an explicitly defined timeout. That is, new sessions based on these rules (having no explicitly defined timeout) will inherit the global timeout value.

Usage Guidelines

Packets originating from a router are not normally policy routed. However, you can use the ipv6 local policy route-map command to policy route such packets. You might enable local PBR if you want packets originated at the router to take a route other than the obvious shortest path.

The ipv6 local policy route-map command identifies a route map to be used for local PBR. The route-map commands each have a list of match and set commands associated with them. The match commands specify the match criteria, which are the conditions under which packets should be policy routed. The set commands specify set actions, which are particular policy routing actions to be performed if the criteria enforced by the match commands are met. The no ipv6 local policy route-map command deletes the reference to the route map and disables local policy routing.

Usage Guidelines

All pool names must be unique.

IPv6 prefix pools have a function similar to IPv4 address pools. Contrary to IPv4, a block of addresses (an address prefix) are assigned and not single addresses.

Prefix pools are not allowed to overlap.

Once a pool is configured, it cannot be changed. To change the configuration, the pool must be removed and recreated. All prefixes already allocated will also be freed.

Usage Guidelines

After a user has enabled the ipv6 multicast-routing command, IPv6 multicast forwarding is enabled. Because IPv6 multicast forwarding is enabled by default, use the no form of the ipv6 mfib command to disable IPv6 multicast forwarding.

Usage Guidelines

Cisco Express Forwarding-based (interrupt level) IPv6 multicast forwarding is enabled by default when you enable Cisco Express Forwarding-based IPv6 multicast routing.

Use the show ipv6 mfib interface command to display the multicast forwarding interface status.

Usage Guidelines

After a user has enabled the ipv6 multicast-routing command, MFIB interrupt switching is enabled to run on every interface. Use the no form of the ipv6 mfib cef output command to disable interrupt-switching on a specific interface.

Use the show ipv6 mfib interface command to display the multicast forwarding status of interfaces.

Usage Guidelines

After a user has enabled the ipv6 multicast-routing command, MFIB interrupt switching is enabled to run on every interface. Use the no form of the ipv6 mfib fast command to disable interrupt-switching on a specific interface.

Use the show ipv6 mfib interface command to display the multicast forwarding status of interfaces.

Usage Guidelines

The no ipv6 mfib forwarding command is used to disable multicast forwarding of packets received from a specified interface, although the specified interface on the router will still continue to receive multicast packets destined for applications on the router itself.

Because multicast forwarding is enabled automatically when IPv6 multicast routing is enabled, the ipv6 mfib forwarding command is used to reenable multicast forwarding of packets if it has been previously disabled.

Usage Guidelines

You must enter the ipv6 mfib hardware-switching uplink command to enable IPv6 multicast hardware switching on the standby Supervisor Engine 720-10GE.

Note

The system message "PSTBY-2-CHUNKPARTIAL: Attempted to destroy partially full chunk, chunk 0xB263638, chunk name: MET FREE POOL" is displayed on the Supervisor Engine if both the fabric switching-mode allow dcef-only and ipv6 mfib hardware-switching uplink commands are configured. The router will ignore the command configured last.

The ipv6 mfib hardware-switching uplink command ensures support of IPv6 multicast on standby uplink ports on systems that are configured with a Supervisor Engine 720-10GE only. You must reboot the system for this command to take effect. The MET space is halved on both the supervisor engines and the C+ modules.

Enabling the ipv6 mfib hardware-switching issu-support command will consume one Switched Port Analyzer (SPAN) session. This command will be effective if the image versions on the active and standby supervisors are different. If the command is not enabled, then the IPv6 multicast traffic ingressing and egressing from standby uplinks will be affected. This command is NVGENed. This command should be configured only once and preferably before performing the In-Service Software Upgrade (ISSU) load version process.

Note	After completing the ISSU process, the administrator should disable the configured ipv6 mfib hardware-switching issu-support command.

Usage Guidelines

Distributed forwarding is enabled by default when the ipv6 multicast-routing , ipv6 cef distributed , and the ipv6 mfib commands are enabled. The ipv6 mfib-mode centralized-only command disables distributed forwarding. All multicast forwarding is performed centrally.

Usage Guidelines

The ipv6 mld access-group command is used for receiver access control and to check the groups and sources in Multicast Listener Discovery (MLD) reports against the access list. The ipv6 mld access-group command also limits the state created by MLD reports. Because Cisco supports MLD version 2, the ipv6 mld access-group command allows users to limit the list of groups a receiver can join. You can also use this command to allow or deny sources used to join Source Specific Multicast (SSM) channels.

If a report (S1, S2...Sn, G) is received, the group (0, G) is first checked against the access list. If the group is denied, the entire report is denied. If the report is allowed, each individual (Si, G) is checked against the access list. State is not created for the denied sources.

Usage Guidelines

When explicit tracking is enabled, the fast leave mechanism can be used with Multicast Listener Discovery (MLD) version 2 host reports. The access-list-name argument specifies a named IPv6 access list that can be used to specify the group ranges for which a user wants to apply explicit tracking.

Usage Guidelines

Use the ipv6 mld host-proxy command to enable the MLD proxy feature. If the group-acl argument is specified, the MLD proxy feature is supported for the multicast route entries that are permitted by the group ACL. If the group-acl argument is not provided, the MLD proxy feature is supported for all multicast routes present in multicast routing table.

Only one group ACL is configured at a time. Users can modify the group ACL by entering this command using a different group-acl argument.

Usage Guidelines

Use the ipv6 mld host-proxy interface command to enable the MLD proxy feature on a specified interface on an RP. If a router is acting as an RP for an multicast-route proxy entry, it generates an MLD report on the specified host-proxy interface. Only one interface can be configured as a host-proxy interface, and the host-proxy interface can be modified by using this command with a different interface name.

If a router is not acting as an RP, enabling this command does not have any effect, nor will it generate an error or warning message.

Usage Guidelines

The ipv6 mld join-group command configures MLD reporting for a specified source and group. The packets that are addressed to a specified group address will be passed up to the client process in the device. The packets will be forwarded out the interface depending on the normal Protocol Independent Multicast (PIM) activity.

The source-list keyword and acl argument may be used to include or exclude multiple sources for the same group. Each source is included in the access list in the following format:

permit ipv6 host source any

If the ipv6 mld join-group command is repeated for the same group, only the most recent command will take effect. For example, if you enter the following commands, only the second command is saved and will appear in the MLD cache:

Device(config-if)# ipv6 mld join-group ff05::10 include 2000::1
Device(config-if)# ipv6 mld join-group ff05::10 include 2000::2

Usage Guidelines

Use the ipv6 mld limit command to configure a limit on the number of MLD states resulting from MLD membership reports on a per-interface basis. Membership reports sent after the configured limits have been exceeded are not entered in the MLD cache, and traffic for the excess membership reports is not forwarded.

Use the ipv6 mld state-limit command in global configuration mode to configure the global MLD state limit.

Per-interface and per-system limits operate independently of each other and can enforce different configured limits. A membership state will be ignored if it exceeds either the per-interface limit or global limit.

If you do not configure the except access-list keyword and argument, all MLD states are counted toward the configured cache limit on an interface. Use the except access-list keyword and argument to exclude particular groups or channels from counting toward the MLD cache limit. An MLD membership report is counted against the per-interface limit if it is permitted by the extended access list specified by the except access-list keyword and argument.

Usage Guidelines

Multicast routers send host membership query messages (host-query messages) to discover which multicast groups have members on the router’s attached networks. Hosts respond with MLD report messages indicating that they want to receive multicast packets for specific groups (that is, indicating that the host wants to become a member of the group).

The designated router for a LAN is the only router that sends MLD host-query messages.

The query interval is calculated as query timeout = (2 x query interval) + query-max-response-time / 2. If the ipv6 mld query-interval command is configured to be 60 seconds and the ipv6 mld query-max-response-time command is configured to be 20 seconds, then the ipv6 mld query-timeout command should be configured to be 130 seconds or higher.

This command works with the ipv6 mld query-max-response-time and ipv6 mld query-timeout commands. If you change the default value for the ipv6 mld query-interval command, make sure the changed value works correctly with these two commands.

Caution

Changing the default value may severely impact multicast forwarding.

Usage Guidelines

This command controls how much time the hosts have to answer an MLD query message before the router deletes their group. Configuring a value of fewer than 10 seconds enables the router to prune groups faster.

Note	If the hosts do not respond fast enough, they might be pruned inadvertently. Therefore, the hosts must know to respond faster than 10 seconds (or the value you configure).

The query interval is calculated as query timeout = (2 x query interval) + query-max-response-time / 2. If the ipv6 mld query-interval command is configured to be 60 seconds and the ipv6 mld query-max-response-time command is configured to be 20 seconds, then the ipv6 mld query-timeout command should be configured to be 130 seconds or higher.

This command works with the ipv6 mld query-interval and ipv6 mld query-timeout commands. If you change the default value for the ipv6 mld query-max-response-time command, make sure the changed value works correctly with these two commands.

Caution

Changing the default value may severely impact multicast forwarding.

Usage Guidelines

The query interval is calculated as query timeout = (2 x query interval) + query-max-response-time / 2. If the ipv6 mld query-interval command is configured to be 60 seconds and the ipv6 mld query-max-response-time command is configured to be 20 seconds, then the ipv6 mld query-timeout command should be configured to be 130 seconds or higher.

This command works with the ipv6 mld query-interval and ipv6 mld query-max-response-time commands. If you change the default value for the ipv6 mld query-timeout command, make sure the changed value works correctly with these two commands.

Caution

Changing the default value may severely impact multicast forwarding.

Usage Guidelines

When the ipv6 multicast-routing command is configured, MLD group membership message processing is enabled on every interface. The no ipv6 mld router command prevents forwarding (routing) of multicast packets to the specified interface and disables static multicast group configuration on the specified interface.

The no ipv6 mld router command also disables MLD group membership message processing on a specified interface. When MLD group membership message processing is disabled, the router stops sending MLD queries and stops keeping track of MLD members on the LAN.

If the ipv6 mld join-group command is also configured on an interface, it will continue with MLD host functionality and will report group membership when an MLD query is received.

MLD group membership processing is enabled by default. The ipv6 multicast-routing command does not enable or disable MLD group membership message processing.

Usage Guidelines

MLDv2 snooping is supported on the Supervisor Engine 720 with all versions of the Policy Feature Card 3 (PFC3).

To use MLDv2 snooping, configure a Layer 3 interface in the subnet for IPv6 multicast routing or enable the MLDv2 snooping querier in the subnet.

Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.

Explicit host tracking is supported only with Internet Group Management Protocol Version 3 (IGMPv3) hosts.

When you enable explicit host tracking and the Cisco 7600 series router is working in proxy-reporting mode, the router may not be able to track all the hosts that are behind a VLAN interface. In proxy-reporting mode, the Cisco 7600 series router forwards only the first report for a channel to the router and suppresses all other reports for the same channel.

With IGMPv3 proxy reporting, the Cisco 7600 series router does proxy reporting for unsolicited reports and reports that are received in the general query interval.

Proxy reporting is turned on by default. When you disable proxy reporting, the Cisco 7600 series router works in transparent mode and updates the IGMP snooping database as it receives reports and forwards this information to the upstream router. The router can then explicitly track all reporting hosts.

Disabling explicit tracking disables fast-leave processing and proxy reporting.

IGMPv3 supports explicit host tracking of membership information on any port. The explicit host-tracking database is used for fast-leave processing for IGMPv3 hosts, proxy reporting, and statistics collection. When you enable explicit host tracking on a VLAN, the IGMP snooping software processes the IGMPv3 report that it receives from a host and builds an explicit host-tracking database that contains the following information:

• The port that is connected to the host.

• The channels that are reported by the host.

• The filter mode for each group that are reported by the host.

• The list of sources for each group that are reported by the hosts.

• The router filter mode of each group.

• The list of hosts for each group that request the source.

Usage Guidelines

When a multicast host leaves a group, the host sends an IGMP leave. To check if this host is the last to leave the group, an IGMP query is sent out when the leave is seen and a timer is started. If no reports are received before the timer expires, the group record is deleted.

The interval is the actual time that the Cisco 7600 series router waits for a response for the group-specific query.

If you enter an interval that is not a multiple of 100, the interval is rounded to the next lowest multiple of 100. For example, if you enter 999, the interval is rounded down to 900 milliseconds.

If you enable IGMP fast-leave processing and you enter the no ipv6 mld snooping last-member-query-interval command, the interval is set to 0 seconds; fast-leave processing always assumes a higher priority.

Even though the valid interval range is 100 to 1000 milliseconds, you cannot enter a value of 1000 . If you want this value, you must enter the no ipv6 mld snooping last-member-query-interval command and return to the default value (1000 milliseconds).

Usage Guidelines

This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2 .

Each entry in the explicit-tracking database is identified by the source IP, group IP, port, VLAN, and reporter IP.

When you set the max-entries argument to 0, explicit-tracking is disabled.

When the explicit-tracking database exceeds the configured max-entries value, a system logging message is generated.

When you reduce the max-entries argument, the explicit-tracking database does not decrease in size immediately. The explicit-tracking database gradually shrinks as reporters time out.

Usage Guidelines

You must configure an IPv6 address on the VLAN interface. When this feature is enabled, the MLDv2 snooping querier uses the IPv6 address as the query source address.

If there is no IPv6 address configured on the VLAN interface, the MLDv2 snooping querier does not start. The MLDv2 snooping querier disables itself if the IPv6 address is cleared. When this feature is enabled, the MLDv2 snooping querier restarts if you configure an IPv6 address.

The MLDv2 snooping querier:

• Does not start if it detects MLDv2 traffic from an IPv6 multicast router.

• Starts after 60 seconds if it detects no MLDv2 traffic from an IPv6 multicast router.

• Disables itself if it detects MLDv2 traffic from an IPv6 multicast router.

You can enable the MLDv2 snooping querier on all the Catalyst 6500 series switches in the VLAN that support it. One switch is elected as the querier.

Usage Guidelines

You must enable explicit tracking before enabling report suppression.

This command is supported on VLAN interfaces only.

Usage Guidelines

The ipv6 mld ssm-map enable command enables the SSM mapping feature for groups in the configured SSM range. When the ipv6 mld ssm-map enable command is used, SSM mapping defaults to use the Domain Name System (DNS).

SSM mapping is applied only to received Multicast Listener Discovery (MLD) version 1 or MLD version 2 membership reports.

Usage Guidelines

DNS-based SSM mapping is enabled by default when the SSM mapping feature is enabled using the ipv6 mld ssm-map enable command. If DNS-based SSM mapping is disabled by entering the no version of the ipv6 mld ssm-map query dns command, only statically mapped SSM sources configured by the ipv6 mld ssm-map static command will be determined.

For DNS-based SSM mapping to succeed, the router needs to find at least one correctly configured DNS server.

Usage Guidelines

Use the ipv6 mld ssm-map static command to configure static SSM mappings. If SSM mapping is enabled and the router receives a Multicast Listener Discovery (MLD) membership for group G in the SSM range, the router tries to determine the source addresses associated with G by checking the ipv6 mld ssm-map static command configurations.

If group G is permitted by the access list identified by the access-list argument, then the specified source address is used. If multiple static SSM mappings have been configured using the ipv6 mld ssm-map static command and G is permitted by multiple access lists, then the source addresses of all matching access lists will be used (the limit is 20).

If no static SSM mappings in the specified access lists match the MLD membership, SSM mapping queries the Domain Name System (DNS) for address mapping.

Usage Guidelines

Use the ipv6 mld state-limit command to configure a limit on the number of MLD states resulting from MLD membership reports on a global basis. Membership reports sent after the configured limits have been exceeded are not entered in the MLD cache and traffic for the excess membership reports is not forwarded.

Use the ipv6 mld limit command in interface configuration mode to configure the per-interface MLD state limit.

Per-interface and per-system limits operate independently of each other and can enforce different configured limits. A membership state will be ignored if it exceeds either the per-interface limit or global limit.

Usage Guidelines

The ipv6 multicast-routing command must be configured for the ipv6 mld static-group command to be effective.

When the ipv6 mld static-group command is enabled, packets to the group are either fast-switched or hardware-switched, depending on the platform. Unlike what happens when using the ipv6 mld join-group command, a copy of the packet is not sent to the process level.

An access list can be specified to include or exclude multiple sources for the same group. Each source is included in the access list in the following format:

permit ipv6 host source any

Note

Using the ipv6 mld static-group command is not sufficient to allow traffic to be forwarded onto the interface. Other conditions, such as the absence of a route, the router not being the designated router, or losing an assert, can cause the router not to forward traffic even if the ipv6 mld static-group command is configured.