IGMP Snooping

About Cisco APIC and IGMP Snooping

How IGMP Snooping is Implemented in the ACI Fabric


Note


We recommend that you do not disable IGMP snooping on bridge domains. If you disable IGMP snooping, you may see reduced multicast performance because of excessive false flooding within the bridge domain.


IGMP snooping software examines IP multicast traffic within a bridge domain to discover the ports where interested receivers reside. Using the port information, IGMP snooping can reduce bandwidth consumption in a multi-access bridge domain environment to avoid flooding the entire bridge domain. By default, IGMP snooping is enabled on the bridge domain.

This figure shows the IGMP routing functions and IGMP snooping functions both contained on an ACI leaf switch with connectivity to a host. The IGMP snooping feature snoops the IGMP membership reports, and leaves messages and forwards them only when necessary to the IGMP router function.

Figure 1. IGMP Snooping function

IGMP snooping operates upon IGMPv1, IGMPv2, and IGMPv3 control plane packets where Layer 3 control plane packets are intercepted and influence the Layer 2 forwarding behavior.

IGMP snooping has the following proprietary features:

  • Source filtering that allows forwarding of multicast packets based on destination and source IP addresses

  • Multicast forwarding based on IP addresses rather than the MAC address

  • Multicast forwarding alternately based on the MAC address

The ACI fabric supports IGMP snooping only in proxy-reporting mode, in accordance with the guidelines provided in Section 2.1.1, "IGMP Forwarding Rules," in RFC 4541:

      IGMP networks may also include devices that implement "proxy-
      reporting", in which reports received from downstream hosts are
      summarized and used to build internal membership states.  Such
      proxy-reporting devices may use the all-zeros IP Source-Address
      when forwarding any summarized reports upstream. For this reason,
      IGMP membership reports received by the snooping switch must not
      be rejected because the source IP address is set to 0.0.0.0.

As a result, the ACI fabric will send IGMP reports with the source IP address of 0.0.0.0.


Note


For more information about IGMP snooping, see RFC 4541.


Virtualization Support

You can define multiple virtual routing and forwarding (VRF) instances for IGMP snooping.

On leaf switches, you can use the show commands with a VRF argument to provide a context for the information displayed. The default VRF is used if no VRF argument is supplied.

The APIC IGMP Snooping Function, IGMPv1, IGMPv2, and the Fast Leave Feature

Both IGMPv1 and IGMPv2 support membership report suppression, which means that if two hosts on the same subnet want to receive multicast data for the same group, the host that receives a member report from the other host suppresses sending its report. Membership report suppression occurs for hosts that share a port.

If no more than one host is attached to each switch port, you can configure the fast leave feature in IGMPv2. The fast leave feature does not send last member query messages to hosts. As soon as APIC receives an IGMP leave message, the software stops forwarding multicast data to that port.

IGMPv1 does not provide an explicit IGMP leave message, so the APIC IGMP snooping function must rely on the membership message timeout to indicate that no hosts remain that want to receive multicast data for a particular group.


Note


The IGMP snooping function ignores the configuration of the last member query interval when you enable the fast leave feature because it does not check for remaining hosts.


The APIC IGMP Snooping Function and IGMPv3

The IGMPv3 snooping function in APIC supports full IGMPv3 snooping, which provides constrained flooding based on the (S, G) information in the IGMPv3 reports. This source-based filtering enables the device to constrain multicast traffic to a set of ports based on the source that sends traffic to the multicast group.

By default, the IGMP snooping function tracks hosts on each VLAN port in the bridge domain. The explicit tracking feature provides a fast leave mechanism. Because every IGMPv3 host sends membership reports, report suppression limits the amount of traffic that the device sends to other multicast-capable routers. When report suppression is enabled, and no IGMPv1 or IGMPv2 hosts requested the same group, the IGMP snooping function provides proxy reporting. The proxy feature builds the group state from membership reports from the downstream hosts and generates membership reports in response to queries from upstream queriers.

Even though the IGMPv3 membership reports provide a full accounting of group members in a bridge domain, when the last host leaves, the software sends a membership query. You can configure the parameter last member query interval. If no host responds before the timeout, the IGMP snooping function removes the group state.

Cisco APIC and the IGMP Snooping Querier Function

When PIM is not enabled on an interface because the multicast traffic does not need to be routed, you must configure an IGMP snooping querier function to send membership queries. In APIC, within the IGMP Snoop policy, you define the querier in a bridge domain that contains multicast sources and receivers but no other active querier.

Cisco ACI has by default, IGMP snooping and IGMP snooping querier enabled. Additionally, if the Bridge Domain subnet control has “querier IP” selected, then the leaf switch behaves as a querier and starts sending query packets. Querier on the ACI leaf switch must be enabled when the segments do not have an explicit multicast router (PIM is not enabled). On the Bridge Domain where the querier is configured, the IP address used must be from the same subnet where the multicast hosts are configured.

A unique IP address must be configured so as to easily reference the querier function. You must use a unique IP address for IGMP snooping querier configuration, so that it does not overlap with any host IP address or with the IP addresses of routers that are on the same segment. The SVI IP address must not be used as the querier IP address or it will result in issues with querier election. As an example, if the IP address used for IGMP snooping querier is also used for another router on the segment, then there will be issues with the IGMP querier election protocol. The IP address used for querier functionality must also not be used for other functions, such as HSRP or VRRP.


Note


The IP address for the querier should not be a broadcast IP address, multicast IP address, or 0 (0.0.0.0).


When an IGMP snooping querier is enabled, it sends out periodic IGMP queries that trigger IGMP report messages from hosts that want to receive IP multicast traffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding.

The IGMP snooping querier performs querier election as described in RFC 2236. Querier election occurs in the following configurations:

  • When there are multiple switch queriers configured with the same subnet on the same VLAN on different switches.

  • When the configured switch querier is in the same subnet as with other Layer 3 SVI queriers.

Guidelines and Limitations for the APIC IGMP Snooping Function

The APIC IGMP snooping has the following guidelines and limitations:

  • Layer 3 IPv6 multicast routing is not supported.

  • Layer 2 IPv6 multicast packets will be flooded on the incoming bridge domain.

  • IGMPv3 snooping will forward multicast based on the group and source entry only when PIM is enabled on the bridge domain. If PIM is not enabled, forwarding will be based on the group only.

Configuring and Assigning an IGMP Snooping Policy

Configuring and Assigning an IGMP Snooping Policy to a Bridge Domain in the Advanced GUI

To implement IGMP snooping functionality, you configure an IGMP Snooping policy then assign that policy to one or more bridge domains.

Configuring an IGMP Snooping Policy Using the GUI

Create an IGMP Snooping policy whose IGMP settings can be assigned to one or multiple bridge domains.

Procedure


Step 1

Click the Tenants tab and the name of the tenant on whose bridge domain you intend to configure IGMP snooping support.

Step 2

In the Navigation pane, click Policies > Protocol > IGMP Snoop.

Step 3

Right-click IGMP Snoop and select Create IGMP Snoop Policy.

Step 4

In the Create IGMP Snoop Policy dialog, configure a policy as follows:

  1. In the Name and Description fields, enter a policy name and optional description.

  2. In the Admin State field, select Enabled or Disabled to enable or disable IGMP snooping for this particular policy.

  3. Select or unselect Fast Leave to enable or disable IGMP V2 immediate dropping of queries through this policy.

  4. Select or unselect Enable querier to enable or disable the IGMP querier activity through this policy.

    Note

     

    For this option to be effectively enabled, the Subnet Control: Querier IP setting must also be enabled in the subnets assigned to the bridge domains to which this policy is applied. The navigation path to the properties page on which this setting is located is Tenants > tenant_name > Networking > Bridge Domains > bridge_domain_name > Subnets > subnet_name .

  5. Specify in seconds the Last Member Query Interval value for this policy.

    IGMP uses this value when it receives an IGMPv2 Leave report. This means that at least one host wants to leave the group. After it receives the Leave report, it checks that the interface is not configured for IGMP Fast Leave and if not, it sends out an out-of-sequence query.

  6. Specify in seconds the Query Interval value for this policy.

    This value is used to define the amount of time the IGMP function will store a particular IGMP state if it does not hear any reports on the group.

  7. Specify in seconds Query Response Interval value for this policy.

    When a host receives the query packet, it starts counting to a random value, less that the maximum response time. When this timer expires, host replies with a report.

  8. Specify the Start query Count value for this policy.

    Number of queries sent at startup that are separated by the startup query interval. Values range from 1 to 10. The default is 2.

  9. Specify in seconds a Start Query Interval for this policy.

    By default, this interval is shorter than the query interval so that the software can establish the group state as quickly as possible. Values range from 1 to 18,000 seconds. The default is 31 seconds.

Step 5

Click Submit.


The new IGMP Snoop policy is listed in the Protocol Policies - IGMP Snoop summary page.

What to do next

To put this policy into effect, assign it to any bridge domain.

Assigning an IGMP Snooping Policy to a Bridge Domain Using the GUI

Assigning an IGMP Snooping policy to a bridge domain configures that bridge domain to use the IGMP Snooping properties specified in that policy.

Before you begin

  • Configure a bridge domain for a tenant.

  • Configure the IGMP Snooping policy that will be attached to the bridge domain.


Note


For the Enable Querier option on the assigned policy to be effectively enabled, the Subnet Control: Querier IP setting must also be enabled in the subnets assigned to the bridge domains to which this policy is applied. The navigation path to the properties page on which this setting is located is Tenants > tenant_name > Networking > Bridge Domains > bridge_domain_name > Subnets > subnet_name .


Procedure


Step 1

Click the APIC Tenants tab and select the name of the tenant whose bridge domains you intend to configure with an IGMP Snoop policy.

Step 2

In the APIC navigation pane, click Networking > Bridge Domains, then select the bridge domain to which you intend to apply your policy-specified IGMP Snoop configuration.

Step 3

On the main Policy tab, scroll down to the IGMP Snoop Policy field and select the appropriate IGMP policy from the drop-down menu.

Step 4

Click Submit.


The target bridge domain is now associated with the specified IGMP Snooping policy.

Enabling IGMP Snooping Static Port Groups

Enabling IGMP Snooping Static Port Groups

IGMP static port grouping enables you to pre-provision ports, that were previously statically-assigned to an application EPG, to enable the switch ports to receive and process IGMP multicast traffic. This pre-provisioning prevents the join latency which normally occurs when the IGMP snooping stack learns ports dynamically.

Static group membership can be pre-provisioned only on static ports assigned to an application EPG.

Static group membership can be configured through the APIC GUI, CLI, and REST API interfaces.

Prerequisite: Deploy EPGs to Static Ports

Enabling IGMP snoop processing on ports requires as a prerequisite that the target ports be statically-assigned to associated EPGs.

Static deployment of ports can be configured through the APIC GUI, CLI, or REST API interfaces. For information, see the following topics in the Cisco APIC Layer 2 Networking Configuration Guide:

  • Deploying an EPG on a Specific Node or Port Using the GUI

  • Deploying an EPG on a Specific Port with APIC Using the NX-OS Style CLI

  • Deploying an EPG on a Specific Port with APIC Using the REST API

Enabling IGMP Snooping and Multicast on Static Ports Using the GUI

You can enable IGMP snooping and multicast on ports that have been statically assigned to an EPG. Afterwards you can create and assign access groups of users that are permitted or denied access to the IGMP snooping and multicast traffic enabled on those ports.

Before you begin

Before you begin to enable IGMP snooping and multicast for an EPG, complete the following tasks:
  • Identify the interfaces to enable this function and statically assign them to that EPG


    Note


    For details on static port assignment, see Deploying an EPG on a Specific Node or Port Using the GUI in the Cisco APIC Layer 2 Networking Configuration Guide.
  • Identify the IP addresses that you want to be recipients of IGMP snooping and multicast traffic.

Procedure


Step 1

Click Tenant > tenant_name > Application Profiles > application_name > Application EPGs > epg_name > Static Ports.

Navigating to this spot displays all the ports you have statically assigned to the target EPG.

Step 2

Click the port to which you intend to statically assign group members for IGMP snooping.

This action displays the Static Path page.

Step 3

On the IGMP Snoop Static Group table, click + to add an IGMP Snoop Address Group entry.

Adding an IGMP Snoop Address Group entry associates the target static port with a specified multicast IP address and enables it to process the IGMP snoop traffic received at that address.

  1. In the Group Address field, enter the multicast IP address to associate with his interface and this EPG.

  2. In the Source Address field enter the IP address of the source to the multicast stream, if applicable.

  3. Click Submit.

When configuration is complete, the target interface is enabled to process IGMP Snooping protocol traffic sent to its associated multicast IP address.

Note

 

You can repeat this step to associate additional multicast addresses with the target static port.

Step 4

Click Submit.


Enabling IGMP Snoop Access Groups

Enabling IGMP Snoop Access Groups

An “access-group” is used to control what streams can be joined behind a given port.

An access-group configuration can be applied on interfaces that are statically assigned to an application EPG in order to ensure that the configuration can be applied on ports that will actually belong to the that EPG.

Only Route-map-based access groups are allowed.

IGMP snoop access groups can be configured through the APIC GUI, CLI, and REST API interfaces.

Enabling Group Access to IGMP Snooping and Multicast Using the GUI

After you enable IGMP snooping and multicasting on ports that have been statically assigned to an EPG, you can then create and assign access groups of users that are permitted or denied access to the IGMP snooping and multicast traffic enabled on those ports.

Before you begin

Before you enable access to IGMP snooping and multicasting for an EPG, Identify the interfaces to enable this function and statically assign them to that EPG .

Note


For details on static port assignment, see Deploying an EPG on a Specific Node or Port Using the GUI in the Cisco APIC Layer 2 Networking Configuration Guide.

Procedure


Step 1

Click Tenant > tenant_name > Application Profiles > application_name > Application EPGs > epg_name > Static Ports.

Navigating to this spot displays all the ports you have statically assigned to the target EPG.

Step 2

Click the port to which you intend to assign multicast group access, to display the Static Port Configuration page.

Step 3

Click Actions > Create IGMP Access Group to display the IGMP Snoop Access Group table.

Step 4

Locate the IGMP Snoop Access Group table and click + to add an access group entry.

Adding an IGMP Snoop Access Group entry creates a user group with access to this port, associates it with a multicast IP address, and permits or denies that group access to the IGMP snoop traffic received at that address.

  1. Select Create Route Map Policy for Multicast to display the Create Route Map Policy for Multicast window.

  2. In the Name field assign the name of the group that you want to allow or deny multicast traffic.

  3. In the Route Maps table click + to display the route map dialog.

  4. In the Order field, if multiple access groups are being configured for this interface, select a number that reflects the order in which this access group will be permitted or denied access to the multicast traffic on this interface. Lower-numbered access groups are ordered before higher-numbered access groups.

  5. In the Group IP field enter the multicast IP address whose traffic is to be allowed or blocked for this access group.

  6. In the Source IP field, enter the IP address of the source if applicable.

  7. In the Action field, choose Deny to deny access for the target group or Permit to allow access for the target group.

  8. Click OK.

  9. Click Submit.

When the configuration is complete, the configured IGMP snoop access group is assigned a multicast IP address through the target static port and permitted or denied access to the multicast streams that are received at that address.

Note

 
  • You can repeat this step to configure and associate additional access groups with multicast IP addresses through the target static port.

  • To review the settings for the configured access groups, click to the following location: Tenant > tenant_name > Policies > Protocol > Route Maps for Multicast > route_map_access_group_name.

Step 5

Click Submit.