Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
5
Helpful
3
Replies

Is IGMP snooping "leaky"?

Kevin Dorrell
Level 10
Level 10

‎06-01-2010 08:47 AM - edited ‎03-06-2019 11:22 AM

Hello everybody.  Here is a question for the experienced multicast experts.

I have a couple of problems that make me think that IGMP snooping is not doing what I thought it should be doing.

First, just to summarize what I think I know about IGMP snooping ....  Without IGMP snooping, multicast frames would be flooded to all switch ports.  When IGMP snopping is enabled this should not happen.  The switch observes the IGMP traffic between the hosts and the multicast router, and sends a multicast stream only to those ports that have expressed an interest in it.  The exception is the mrouter port, which gets a copy of everything multicast, and which is detected because he switch sees PIM etc on it.  So, as I understand it, if a host is not generating IGMP reports, it should not see any multicast, not even the IGMP queries from the router.  (Except for the low 224. addresses, of course, which are flooded anyway.)

So, problem 1, is that I have a server that is seeing a multicast stream that it is not supposed to be seeing.  If I look at show ip igmp snooping groups on the switch, in fact there is nothing on that particular switch that has any entries in the igmp snooping table.  If I look at show ip igmp snooping mrouter, the mrouter port is exactly where I expect it to be .. on the uplink.  No other host on this switch is receiving the multicast stream.  The only difference between this host and the others is that this host is connected via an LACP-controlled EtherChannel bundle.  BTW, the switch uplink is also an EtherChannel.  Could there be an issue with IGMP snooping on an EtherChannel port?  The switch is a 2960G and the upstream is a 4500.

Problem 2 is similar - multicasts going where they are not expected to go.  In this case, there is no EtherChannel involved.  It is a switchport connected to a sniffer that I use to benchmark the background traffic (i.e. floods and broadcasts)  on a VLAN.  The sniffer is not generating any IGMP reports.  Yet the sniffer sees IGMP queries for one particular group (228.200.200.201) from the mcast router on the switchport.  There are many multicast streams on that VLAN on this particular switch, which is a 4500.  It is strange that my sniffer sees the IGMP queries for the 228.200.200.201 group, but not for any other group.  Why should that be?  I know my sniffer is not generating any IGMP reports.  BTW, once again, the show ip igmp snooping groups does not show the sniffer port in the list for the 228.200.200.201 group, and the mrouter port is exactly where I expect it to be - on the link to the mrouter.

Has anyone else seen similar behaviors?

Sorry I have "out of office" recently - I have been a bit busy studying to renew my cert.  At least I am safe now for the next couple of years.

Kevin Dorrell

CCIE #20765

Luxembourg

Labels:
0 Helpful
3 Replies 3

Kevin Dorrell
Level 10
Level 10

‎06-02-2010 02:50 AM

Bump!

Does nobody know about IGMP snooping?  Has anyone seen any behavior like this?

Or, please, at least tell me if I am wrong in my expectations of IGMP snooping, and why.

Otherwise I might have to open a TAC case.

Kevin Dorrell

CCIE #20765

Luxembourg

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Kevin Dorrell

‎06-02-2010 03:02 AM

Hello Kevin,

>> Sorry I have "out of office" recently - I have been a bit busy studying to renew my cert.  At least I am safe now for the next couple of years.

this is good news

about your isse: I would open a case for first case it is clearly misbehaving.

for the sniffer: you have put the sniffer on a standard port just to monitor traffic that is flooded on the vlan ? if so it is strange to see those messages

Hope to help

Giuseppe

Kevin Dorrell
Level 10
Level 10
In response to Giuseppe Larosa

‎06-02-2010 06:38 AM

Thanks Giuseppe for confirming at least that the behavior seems strange.  In these cases I always begin to doubt my own sanity. 

I shall open some TAC cases and let you know the result.

Grazie ancora. A presto.

Ciao,

Kevin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card