Configuring Wireless Multicast

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring Wireless Multicast

  • The IP multicast routing must be enabled and the PIM version and PIM mode must be configured. The default routes should be available in the device. After performing these tasks, the device can then forward multicast packets and can populate its multicast routing table.

  • To participate in IP multicasting, the multicast hosts, routers, and multilayer switches must have IGMP operating.

  • When enabling multicast mode on the , a CAPWAP multicast group address should also be configured. Access points listen to the CAPWAP multicast group using IGMP.

Restrictions for Configuring Wireless Multicast

The following are the restrictions for configuring IP multicast routing:
  • Access points in monitor mode, sniffer mode, or rogue detector mode do not join the CAPWAP multicast group address.

  • The CAPWAP multicast group configured on the should be different for different devices.

  • Multicast routing should not be enabled for the management interface.

Restrictions for IPv6 Snooping

The IPv6 snooping feature is not supported on Etherchannel ports.

Restrictions for IPv6 RA Guard

  • The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.

  • This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.

  • This feature can be configured on a switch port interface in the ingress direction.

  • This feature supports host mode and router mode.

  • This feature is supported only in the ingress direction; it is not supported in the egress direction.

  • This feature is not supported on EtherChannel and EtherChannel port members.

  • This feature is not supported on trunk ports with merge mode.

  • This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.

  • Packets dropped by the IPv6 RA Guard feature can be spanned.

  • If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the IPv6 RA Guard feature cannot be configured and an error message will be displayed. This command adds default global Internet Control Message Protocol (ICMP) entries that will override the RA guard ICMP entries.

Information About Wireless Multicast

If the network supports packet multicasting, the multicast method that the device uses can be configured. The device performs multicasting in two modes:
  • Unicast mode—The device unicasts every multicast packet to every access point associated to the device. This mode is inefficient but might be required on networks that do not support multicasting.

  • Multicast mode—The device sends multicast packets to a CAPWAP multicast group. This method reduces overhead on the device processor and shifts the work of packet replication to the network, which is much more efficient than the unicast method.

When the multicast mode is enabled and the device receives a multicast packet from the wired LAN, the device encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast group address. The device always uses the management VLAN for sending multicast packets. Access points in the multicast group receive the packet and forward it to all the BSSIDs mapped to the VLAN on which clients receive multicast traffic.

The device supports all the capabilities of v1 including Multicast Listener Discovery (MLD) v1 snooping but the v2 and v3 capabilities are limited. This feature keeps track of and delivers IPv6 multicast flows to the clients that request them. To support IPv6 multicast, global multicast mode should be enabled.

Internet Group Management Protocol (IGMP) snooping is introduced to better direct multicast packets. When this feature is enabled, the device snooping gathers IGMP reports from the clients, processes them, creates unique multicast group IDs (MGIDs) based on the Layer 3 multicast address and the VLAN number, and sends the IGMP reports to the IGMP querier. The device then updates the access point MGID table on the access point with the client MAC address. When the device receives multicast traffic for a particular multicast group, it forwards it to all the access points, but only those access points that have active clients listening or subscribed to that multicast group send multicast traffic on that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN and the destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is unique for the ingress VLAN.

MGID is a 14-bit value filled in the 16-bit reserved field of wireless information in CAPWAP header. The remaining 2 bits should be set to zero.

Information About Multicast Optimization

Multicast used to be based on the group of the multicast addresses and the VLAN as one entity, MGID. With the VLAN group, duplicate packets might increase. Using the VLAN group feature, every client listens to the multicast stream on a different VLAN. As a result, the device creates different MGIDs for each multicast address and VLAN. Therefore, in a worst case situation, the upstream router sends one copy for each VLAN, which results in as many copies as the number of VLANs in the group. Because the WLAN remains the same for all clients, multiple copies of the multicast packet are sent over the wireless network. To suppress the duplication of a multicast stream on the wireless medium between the device and the access points, the multicast optimization feature can be used.

Multicast optimization enables you to create a multicast VLAN that can be used for multicast traffic. One of the VLANs in the device can be configured as a multicast VLAN where multicast groups are registered. The clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using the mulicast VLAN and multicast IP addresses. If multiple clients on different VLANs of the same WLAN are listening to a single multicast IP address, a single MGID is generated. The device makes sure that all multicast streams from the clients on this VLAN group always go out on the multicast VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN group. Only one multicast stream hits the VLAN group even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over the network is just one stream.

IPv6 Global Policies

IPv6 global policies provide storage and access policy database services. IPv6 ND inspection and IPv6 RA guard are IPv6 global policies features. Every time an ND inspection or RA guard is configured globally, the policy attributes are stored in the software policy database. The policy is then applied to an interface, and the software policy database entry is updated to include this interface to which the policy is applied.

IPv6 RA Guard

The IPv6 RA Guard feature provides support for allowing the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network device platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices. In host mode, all RA and router redirect messages are disallowed on the port. The RA guard feature compares configuration information on the Layer 2 (L2) device with the information found in the received RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped.

Information About IPv6 Snooping

IPv6 Neighbor Discovery Inspection

The IPv6 Neighbor Discovery Inspection, or IPv6 "snooping," feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 Address Glean and IPv6 Device Tracking. IPv6 neighbor discovery (ND) inspection operates at Layer 2, or between Layer 2 and Layer 3, and provides IPv6 features with security and scalability. This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables and analyzes ND messages in order to build a trusted binding table. IPv6 ND messages that do not have valid bindings are dropped. An ND message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

When IPv6 ND inspection is configured on a target (which varies depending on platform target support and may include device ports, switch ports, Layer 2 interfaces, Layer 3 interfaces, and VLANs), capture instructions are downloaded to the hardware to redirect the ND protocol and Dynamic Host Configuration Protocol (DHCP) for IPv6 traffic up to the switch integrated security features (SISF) infrastructure in the routing device. For ND traffic, messages such as NS, NA, RS, RA, and REDIRECT are directed to SISF. For DHCP, UDP messages sourced from port 546 or 547 are redirected.

IPv6 ND inspection registers its "capture rules" to the classifier, which aggregates all rules from all features on a given target and installs the corresponding ACL down into the platform-dependent modules. Upon receiving redirected traffic, the classifier calls all entry points from any registered feature (for the target on which the traffic is being received), including the IPv6 ND inspection entry point. This entry point is the last to be called, so any decision (such as drop) made by another feature supersedes the IPv6 ND inspection decision.

IPv6 ND Inspection

IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database, and IPv6 neighbor discovery messages that do not have valid bindings are dropped. A neighbor discovery message is considered trustworthy if its IPv6-to-MAC mapping is verifiable.

This feature mitigates some of the inherent vulnerabilities for the neighbor discovery mechanism, such as attacks on duplicate address detection (DAD), address resolution, device discovery, and the neighbor cache.

IPv6 Device Tracking

IPv6 device tracking provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears.

IPv6 First-Hop Security Binding Table

The IPv6 First-Hop Security Binding Table recovery mechanism feature enables the binding table to recover in the event of a device reboot. A database table of IPv6 neighbors connected to the device is created from information sources such as ND snooping. This database, or binding, table is used by various IPv6 guard features to validate the link-layer address (LLA), the IPv4 or IPv6 address, and prefix binding of the neighbors to prevent spoofing and redirect attacks.

This mechanism enables the binding table to recover in the event of a device reboot. The recovery mechanism will block any data traffic sourced from an unknown source; that is, a source not already specified in the binding table and previously learned through ND or DHCP gleaning. This feature recovers the missing binding table entries when the resolution for a destination address fails in the destination guard. When a failure occurs, a binding table entry is recovered by querying the DHCP server or the destination host, depending on the configuration.

Recovery Protocols and Prefix Lists

The IPv6 First-Hop Security Binding Table Recovery Mechanism feature introduces the capability to provide a prefix list that is matched before the recovery is attempted for both DHCP and NDP.

If an address does not match the prefix list associated with the protocol, then the recovery of the binding table entry will not be attempted with that protocol. The prefix list should correspond to the prefixes that are valid for address assignment in the Layer 2 domain using the protocol. The default is that there is no prefix list, in which case the recovery is attempted for all addresses. The command to associate a prefix list to a protocol is protocol {dhcp | ndp} [prefix-list prefix-list-name] .

IPv6 Device Tracking

IPv6 device tracking provides IPv6 host liveness tracking so that a neighbor table can be immediately updated when an IPv6 host disappears.

IPv6 Address Glean

IPv6 address glean is the foundation for many other IPv6 features that depend on an accurate binding table. It inspects ND and DHCP messages on a link to glean addresses, and then populates the binding table with these addresses. This feature also enforces address ownership and limits the number of addresses any given node is allowed to claim.

The following figure shows how IPv6 address glean works.

Figure 1. IPv6 Address Glean

How to Configure Wireless Multicast

Configuring Wireless Multicast-MCMC Mode (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. wireless multicast
  4. ap capwap multicast ipaddr
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

wireless multicast

Example:

Device(config)# wireless multicast

Device(config)# no wireless multicast

Enables the multicast traffic for wireless clients. The default value is disable. Add no in the command to disable the multicast traffic for wireless clients.

Step 4

ap capwap multicast ipaddr

Example:

Device(config)# ap capwap multicast 231.1.1.1

Device(config)# no ap capwap multicast 231.1.1.1

Enables the forwarding mode in multicast. Add no in the command to disable the multicast mode.

Step 5

end

Example:

Device(config)# end

Exits the configuration mode. Alternatively, press Ctrl-Z to exit the configuration mode.

Configuring Wireless Multicast-MCUC Mode (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. wireless multicast
  4. no ap capwap multicast ipaddr
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

wireless multicast

Example:

Device(config)# wireless multicast

Enables the multicast traffic for wireless clients and enables mDNS bridging. The default value is disable. Add no in the command to disable the multicast traffic for wireless clients and disable mDNS bridging.

Step 4

no ap capwap multicast ipaddr

Example:

Device(config)# no ap capwap multicast 231.1.1.1

Enables forwarding mode in multicast. Add no in the command to disable the multicast mode.

Step 5

end

Example:

Device(config)# end

Exits the configuration mode. Alternatively, press Ctrl-Z to exit the configuration mode.

Configuring IPv6 Snooping (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 mld snooping

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

ipv6 mld snooping

Example:

Device(config)# ipv6 mld snooping

Enables MLD snooping.

Configuring IPv6 Snooping Policy (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 snooping policy policy-name
  4. security-level guard
  5. device-role node
  6. protocol {dhcp | ndp}

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

ipv6 snooping policy policy-name

Example:

Device(config)# ipv6 snooping policy mypolicy

Configures an IPv6 snooping policy with a name.

Step 4

security-level guard

Example:

Device(config-ipv6-snooping)# security-level guard

Configures security level to inspect and drop any unauthorized messages.

Step 5

device-role node

Example:

Device(config-ipv6-snooping)# device-role node

Configures the role of the device, which is a node, to the attached port.

Step 6

protocol {dhcp | ndp}

Example:

Device(config-ipv6-snooping)# protocol ndp

Sets the protocol to glean addresses in DHCP or NDP packets.

Configuring Layer 2 Port as Multicast Router Port (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 mld snooping vlan vlan-id mrouter interface Port-channel port-channel-interface-number

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

ipv6 mld snooping vlan vlan-id mrouter interface Port-channel port-channel-interface-number

Example:

Device(config)# ipv6 mld snooping vlan 2 mrouter interface Port-channel 22

Configures a Layer 2 port as a Multicast router port. The VLAN is the client VLAN.

Configuring IPv6 RA Guard (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ipv6 nd raguard policy policy-name
  4. trusted-port
  5. device-role {host | monitor | router | switch}

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

ipv6 nd raguard policy policy-name

Example:

Device(config)# ipv6 nd raguard policy myraguardpolicy

Configures a policy for RA Guard.

Step 4

trusted-port

Example:

Device(config-nd-raguard)# trusted-port

Sets up a trusted port.

Step 5

device-role {host | monitor | router | switch}

Example:

Device(config-nd-raguard)# device-role router

Sets the role of the device attached to the port.

Configuring Non-IP Wireless Multicast (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. wireless multicast non-ip
  4. wireless multicast non-ip vlanid
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

wireless multicast non-ip

Example:

Device(config)# wireless multicast non-ip

Device(config)# no wireless multicast non-ip

Enables non-IP multicast in all VLANs. Default value is enable . Wireless multicast must be enabled for the traffic to pass. Add no in the command to disable the non-IP multicast in all VLANs.

Step 4

wireless multicast non-ip vlanid

Example:

Device(config)# wireless multicast non-ip 5

Device(config)# no wireless multicast non-ip 5

Enables non-IP multicast per VLAN. Default value is enable . Both wireless multicast and wireless multicast non-IP must be enabled for traffic to pass. Add no in the command to disable the non-IP multicast per VLAN.

Step 5

end

Example:

Device(config)# end

Exits the configuration mode. Alternatively, press Ctrl-Z to exit the configuration mode.

Configuring Wireless Broadcast (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. wireless broadcast
  4. wireless broadcast vlan vlanid
  5. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

wireless broadcast

Example:

Device(config)# wireless broadcast

Device(config)# no wireless broadcast

Enables broadcast packets for wireless clients. Default value is disable. Enabling wireless broadcast enables broadcast traffic for each VLAN. Add no in the command to disable broadcasting packets.

Step 4

wireless broadcast vlan vlanid

Example:

Device(config)# wireless broadcast vlan 3 

Device(config)# no wireless broadcast vlan 3

Enables broadcast packets for single VLAN. Default value is enable . Wireless broadcast must be enabled for broadcasting. Add no in the command to disable the broadcast traffic for each VLAN.

Step 5

end

Example:

Device(config)# end

Exits the configuration mode. Alternatively, press Ctrl-Z to exit the configuration mode.

Configuring IP Multicast VLAN for WLAN (CLI)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. wlan wlan_name
  4. shutdown
  5. ip multicast vlan {vlan_name vlan_id}
  6. no shutdown
  7. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.
Step 2

configure terminal

Example:

Device# configure terminal

Enters global command mode.

Step 3

wlan wlan_name

Example:

Device(config)# wlan test 1

Enters the configuration mode to configure various parameters in the WLAN.

Step 4

shutdown

Example:


Device(config-wlan)# shutdown

Disables WLAN.

Step 5

ip multicast vlan {vlan_name vlan_id}

Example:

Device(config-wlan)# ip multicast vlan 5

Device(config-wlan)# no ip multicast vlan 5

Configures multicast VLAN for WLAN. Add no in the command to disable the multicast VLAN for WLAN.

Step 6

no shutdown

Example:


Device(config-wlan)# no shutdown

Enables the disabled WLAN.

Step 7

end

Example:

Device(config)# end

Exits the configuration mode. Alternatively, press Ctrl-Z to exit the configuration mode.

Monitoring Wireless Multicast

Table 1. Commands for Monitoring Wireless Multicast
Commands Description
show wireless multicast

Displays the multicast status and IP multicast mode, each VLAN's broadcast and non-IP multicast status. Also displays the mDNS bridging state.

show wireless multicast group summary

Displays all (Source, Group and VLAN) lists and the corresponding MGID value.

show wireless multicast [source source] group group vlan vlanid

Displays details of the given (S,G,V) and shows all of the clients associated with it and their MC2UC status

.
show ip igmp snooping wireless mcast-spi-count

Displays statistics of the number of multicast SPIs per MGID sent between IOS and the Wireless Controller Module.

show ip igmp snooping wireless mgid

Displays the MGID mappings.

show ip igmp snooping igmpv2-tracking

Displays the client-to-SGV mappings and SGV-to-client mappings.

show ip igmp snooping querier vlan vlanid

Displays IGMP querier information for the specified VLAN.

show ip igmp snooping querier detail

Displays detailed IGMP querier information of all the VLANs.

show ipv6 mld snooping querier vlan vlanid

Displays MLD querier information for the specified VLAN.

show ipv6 mld snooping wireless mgid

Displays MGIDs for IPv6 multicast group.

Where to Go Next for Wireless Multicast

You can configure the following:

  • IGMP

  • PIM

  • SSM

  • IP Multicast Routing

  • Service Discovery Gateway