Re: Multicast Limit on 3550

From: Bob Sinclair (bob@bobsinclair.net)
Date: Mon Oct 10 2005 - 15:19:43 GMT-3

• Next message: The Great Ryan: "Some parameters in Police command"
• Previous message: Ashok M A: "Re: Multicast Limit on 3550"
• Maybe in reply to: Bob Sinclair: "Re: Multicast Limit on 3550"
• Next in thread: Ashok M A: "Re: Multicast Limit on 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ashok,

There are two issues here. Perhaps we can sort them out separately.

Issue one: Does disabling igmp snooping on a vlan prevent the switch from
associating an IP mac address with the port outgoing to an attached client?

To answer this question:
1. disable igmp snooping for the vlan
2. issue a join-group command on a router interface directly connected to a
switch.
3. Wait a few minutes. On the switch, issue the command; sh
mac-address-table multicast igmp-snooping. You should NOT see any 01-00-5e
addresses associated with ports outgoint to the attached client. If you do,
something is not right. Try this with snooping enabled and with snooping
disabled. You should see a difference.

Issue two: IF igmp-snooping is disabled for a vlan, AND an IP multicast mac
address is statically associated with a port in that vlan, THEN clients
connected to that switch on OTHER ports shold not receive the multicast.

Ashok, please try to tease these issues out separately. The basic idea is
this: switches flood multicast because they have not associated the multicast
mac address with any port. If you statically associate the mac address with a
port, the switch will not flood it. If, IGMP snooping is disabled, then other
ports cannot be associated with that MAC, and do not receive it. Works for
me.

Please show which port on SW2 R8 is connected to, its configuration, and MAC
table entries associated with that port.

HTH,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: Ashok M A
  To: Bob Sinclair ; gladston@br.ibm.com ; ccielab@groupstudy.com
  Sent: Monday, October 10, 2005 1:54 PM
  Subject: Re: Multicast Limit on 3550

  Hi Bob,

  Here is the config and more information:

  Switch
  ~~~~~~
  SW2#sh ip igmp snooping vlan 1
  Global IGMP Snooping configuration:
  -----------------------------------
  IGMP snooping : Enabled
  IGMPv3 snooping (minimal) : Enabled
  Report suppression : Enabled
  TCN solicit query : Disabled
  TCN flood query count : 2

  Vlan 1:
  --------
  IGMP snooping : Disabled
  Immediate leave : Disabled
  Multicast router learning mode : pim-dvmrp
  Source only learning age timer : 10

  SW2#show run | inc mac-address
  mac-address-table static 0100.5e01.0102 vlan 1
  interface GigabitEthernet0/8
  SW2#
  ~~~~~~

  R8#show run int e0
  Building configuration...

  Current configuration : 124 bytes
  !
  interface Ethernet0
   ip address 22.22.22.8 255.255.255.0
   ip igmp join-group 224.1.1.2
   ip igmp join-group 224.1.1.8
  end

  R8#
  ~~~~~

  In the above config i disabled snooping and given
  static mac-address for 224.1.1.2 group. With this i
  should not able to ping 224.1.1.8 address.

  Test result is as follows:
  ~~~~
  R1#ping 224.1.1.8

  Type escape sequence to abort.
  Sending 1, 100-byte ICMP Echos to 224.1.1.8, timeout
  is 2 seconds:

  Reply to request 0 from 22.22.22.8, 240 ms
  Reply to request 0 from 22.22.22.8, 320 ms
  R1#ping 224.1.1.2

  Type escape sequence to abort.
  Sending 1, 100-byte ICMP Echos to 224.1.1.2, timeout
  is 2 seconds:

  Reply to request 0 from 22.22.22.8, 236 ms
  Reply to request 0 from 22.22.22.8, 312 ms
  R1#
  ~~~~~

  But if i now change the static mac address entry, for
  example to port g0/9, it will be getting dropped.

  ~~~~
  on switch:

  mac-address-table static 0100.5e01.0102 vlan 1
  interface GigabitEthernet0/9

  R1#ping 224.1.1.2 repeat 2

  Type escape sequence to abort.
  Sending 2, 100-byte ICMP Echos to 224.1.1.2, timeout
  is 2 seconds:
  ..
  R1#
  R1#
  R1#ping 224.1.1.8 repeat 2

  Type escape sequence to abort.
  Sending 2, 100-byte ICMP Echos to 224.1.1.8, timeout
  is 2 seconds:

  Reply to request 0 from 22.22.22.8, 76 ms
  Reply to request 0 from 22.22.22.8, 92 ms
  Reply to request 1 from 22.22.22.8, 80 ms
  Reply to request 1 from 22.22.22.8, 92 ms
  R1#
  ~~~~~~~

  Thanks,
  Ashok

  --- Bob Sinclair <bob@bobsinclair.net> wrote:

> Ashok,
>
> To confirm my understanding; are you saying that
> when you disable igmp snooping for a vlan, that the
> switch still dynamically assigns multicast addresses
> to ports based on the reception of IGMP membership
> reports from directly attached clients? This is not
> the behavior I would expect. Could you post some
> show commands?
>
> Bob Sinclair
> CCIE #10427, CCSI 30427, CISSP
> www.netmasterclass.net
>
> ----- Original Message -----
> From: Ashok M A
> To: bsinclair@netmasterclass.net ;
> gladston@br.ibm.com ; ccielab@groupstudy.com
> Sent: Monday, October 10, 2005 12:57 PM
> Subject: RE: Multicast Limit on 3550
>
>
> Hi Bob,
>
> I tried your solution given below and it doesn't
> seem
> to work:
> ~~~~
> no ip igmp snooping vlan 1
> mac-address-table static 0100.5e40.0101 vlan 1
> interface FastEthernet0/3
> ~~~~
>
> Looks like even snooping is disabled, mac address
> is
> learnt at the switch. Correct me if i am wrong.
>
>
> Thanks & Regards,
>
> Ashok M A
>
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of Bob
> Sinclair
> Sent: Thursday, September 23, 2004 3:32 AM
> To: gladston@br.ibm.com; ccielab@groupstudy.com
> Subject: Re: Multicast Limit on 3550
>
> Gladston,
>
> Either of those two scenarios will work. You can
> block the igmp membership reports with igmp
> filters on
> each disallowed layer 2 interface. If you are
> using
> routers to simulate the host, do not configure PIM
> on
> the interface.
> The mroute table on the upstream router should not
> indicate a connected host on that interface.
>
> You could also disable igmp snooping for the vlan
> and
> hard-code the multicast mac to the permitted
> interfaces, like so:
>
> no ip igmp snooping vlan 1
> mac-address-table static 0100.5e40.0101 vlan 1
> interface FastEthernet0/3
>
> HTH
>
> Bob Sinclair
> CCIE #10427, CISSP, MCSE
> www.netmasterclass.net
>
> ----- Original Message -----
> From: <gladston@br.ibm.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, September 22, 2004 2:55 PM
> Subject: Multicast Limit on 3550
>
>
> > How would you limit just some hosts connected to
> a
> 3550 to receive
> > multicast packets destinated to 239.192.1.1?
> >
> > I am reading "Configuring IGMP Snooping and MVR"
> but
> could not find a
> > specific answer.
> >
> > An indirectly way seems to be configure IGMP
> Profile
> on each interface.
> >
> > Globally disabling IGMP and configuring static
> MACs
> would work? Or 3550 by
> > default forward multicast packets to all ports
> when
> IGMP is disabled, as
> > 5500 when CGMP is disabled?
> >
>
>
>
>
>
>
  __________________________________________________________
>
> Yahoo! India Matrimony: Find your partner now. Go
> to http://yahoo.shaadi.com
>

  __________________________________________________________
  Yahoo! India Matrimony: Find your partner now. Go to
http://yahoo.shaadi.com

• Next message: The Great Ryan: "Some parameters in Police command"
• Previous message: Ashok M A: "Re: Multicast Limit on 3550"
• Maybe in reply to: Bob Sinclair: "Re: Multicast Limit on 3550"
• Next in thread: Ashok M A: "Re: Multicast Limit on 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3