ON THIS PAGE
Example: Configuring IGMP Snooping
Understanding Multicast Snooping
Network devices such as routers operate mainly at the packet level, or Layer 3. Other network devices such as bridges or LAN switches operate mainly at the frame level, or Layer 2. Multicasting functions mainly at the packet level, Layer 3, but there is a way to map Layer 3 IP multicast group addresses to Layer 2 MAC multicast group addresses at the frame level.
Routers can handle both Layer 2 and Layer 3 addressing information because the frame and its addresses must be processed to access the encapsulated packet inside. Routers can run Layer 3 multicast protocols such as PIM or IGMP and determine where to forward multicast content or when a host on an interface joins or leaves a group. However, bridges and LAN switches, as Layer 2 devices, are not supposed to have access to the multicast information inside the packets that their frames carry.
How then are bridges and other Layer 2 devices to determine when a device on an interface joins or leaves a multicast tree, or whether a host on an attached LAN wants to receive the content of a particular multicast group?
The answer is for the Layer 2 device to implement multicast snooping. Multicast snooping is a general term and applies to the process of a Layer 2 device “snooping” at the Layer 3 packet content to determine which actions are taken to process or forward a frame. There are more specific forms of snooping, such as IGMP snooping or PIM snooping. In all cases, snooping involves a device configured to function at Layer 2 having access to normally “forbidden” Layer 3 (packet) information. Snooping makes multicasting more efficient in these devices.
Understanding IGMP Snooping
Snooping is a general way for Layer 2 devices, such as Juniper Networks MX Series Ethernet Services Routers, to implement a series of procedures to “snoop” at the Layer 3 packet content to determine which actions are to be taken to process or forward a frame. More specific forms of snooping, such as Internet Group Membership Protocol (IGMP ) snooping or Protocol Independent Multicast (PIM) snooping, are used with multicast.
Layer 2 devices (LAN switches or bridges) handle multicast packets and the frames that contain them much in the same way the Layer 3 devices (routers) handle broadcasts. So, a Layer 2 switch processes an arriving frame having a multicast destination media access control (MAC) address by forwarding a copy of the packet (frame) onto each of the other network interfaces of the switch that are in a forwarding state.
However, this approach (sending multicast frames everywhere the device can) is not the most efficient use of network bandwidth, particularly for IPTV applications. IGMP snooping functions by “snooping” at the IGMP packets received by the switch interfaces and building a multicast database similar to that a multicast router builds in a Layer 3 network. Using this database, the switch can forward multicast traffic only onto downstream interfaces with interested receivers, and this technique allows more efficient use of network bandwidth.
You configure IGMP snooping for each bridge on the router. A bridge instance without qualified learning has just one learning domain. For a bridge instance with qualified learning, snooping will function separately within each learning domain in the bridge. That is, IGMP snooping and multicast forwarding will proceed independently in each learning domain in the bridge.
This discussion focuses on bridge instances without qualified learning (those forming one learning domain on the device). Therefore, all the interfaces mentioned are logical interfaces of the bridge or VPLS instance.
Several related concepts are important when discussing IGMP snooping:
Bridge or VPLS instance interfaces are either multicast-router interfaces or host-side interfaces.
IGMP snooping supports proxy mode or without-proxy mode.
When integrated routing and bridging (IRB) is used, if the router is an IGMP querier, any leave message received on any Layer 2 interface will cause a group-specific query on all Layer 2 interfaces (as a result of this practice, some corresponding reports might be received on all Layer 2 interfaces). However, if some of the Layer 2 interfaces are also router (Layer 3) interfaces, reports and leaves from other Layer 2 interfaces will not be forwarded on those interfaces.
If an IRB interface is used as an outgoing interface in a multicast forwarding cache entry (as determined by the routing process), then the output interface list is expanded into a subset of the Layer 2 interface in the corresponding bridge. The subset is based on the snooped multicast membership information, according to the multicast forwarding cache entry installed by the snooping process for the bridge.
If no snooping is configured, the IRB output interface list is expanded to all Layer 2 interfaces in the bridge.
The Junos OS does not support IGMP snooping in a VPLS configuration on a virtual switch. This configuration is disallowed in the CLI.
IGMP snooping is supported on AE interfaces, however, it is not supported on AE interfaces in combination with IRB interfaces.
IGMP Snooping Interfaces and Forwarding
IGMP snooping divides the device interfaces into multicast-router interfaces and host-side interfaces. A multicast-router interface is an interface in the direction of a multicasting router. An interface on the bridge is considered a multicast-router interface if it meets at least one of the following criteria:
It is statically configured as a multicast-router interface in the bridge instance.
IGMP queries are being received on the interface.
All other interfaces that are not multicast-router interfaces are considered host-side interfaces.
Any multicast traffic received on a bridge interface with IGMP snooping configured will be forwarded according to following rules:
Any IGMP packet is sent to the Routing Engine for snooping processing.
Other multicast traffic with destination address 224.0.0/24 is flooded onto all other interfaces of the bridge.
Other multicast traffic is sent to all the multicast-router interfaces but only to those host-side interfaces that have hosts interested in receiving that multicast group.
IGMP Snooping and Proxies
Without a proxy arrangement, IGMP snooping does not generate or introduce queries and reports. It will only “snoop” reports received from all of its interfaces (including multicast-router interfaces) to build its state and group (S,G) database.
Without a proxy, IGMP messages are processed as follows:
Query—All general and group-specific IGMP query messages received on a multicast-router interface are forwarded to all other interfaces (both multicast-router interfaces and host-side interfaces) on the bridge.
Report—IGMP reports received on any interface of the bridge are forwarded toward other multicast-router interfaces. The receiving interface is added as an interface for that group if a multicast routing entry exists for this group. Also, a group timer is set for the group on that interface. If this timer expires (that is, there was no report for this group during the IGMP group timer period), then the interface is removed as an interface for that group.
Leave—IGMP leave messages received on any interface of the bridge are forwarded toward other multicast-router interfaces on the bridge. The Leave Group message reduces the time it takes for the multicast router to stop forwarding multicast traffic when there are no longer any members in the host group.
Proxy snooping reduces the number of IGMP reports sent toward an IGMP router.
With proxy snooping configured, an IGMP router is not able to perform host tracking.
As proxy for its host-side interfaces, IGMP snooping in proxy mode replies to the queries it receives from an IGMP router on a multicast-router interface. On the host-side interfaces, IGMP snooping in proxy mode behaves as an IGMP router and sends general and group-specific queries on those interfaces.
Only group-specific queries are generated by IGMP snooping directly. General queries received from the multicast-router interfaces are flooded to host-side interfaces.
All the queries generated by IGMP snooping are sent using 0.0.0.0 as the source address. Also, all reports generated by IGMP snooping are sent with 0.0.0.0 as the source address unless there is a configured source address to use.
Proxy mode functions differently on multicast-router interfaces than it does on host-side interfaces.
Multicast-Router Interfaces and IGMP Snooping Proxy Mode
On multicast-router interfaces, in response to IGMP queries, IGMP snooping in proxy mode sends reports containing aggregate information on groups learned on all host-side interfaces of the bridge.
Besides replying to queries, IGMP snooping in proxy mode forwards all queries, reports, and leaves received on a multicast-router interface to other multicast-router interfaces. IGMP snooping keeps the membership information learned on this interface but does not send a group-specific query for leave messages received on this interface. It simply times out the groups learned on this interface if there are no reports for the same group within the timer duration.
For the hosts on all the multicast-router interfaces, it is the IGMP router, not the IGMP snooping proxy, that generates general and group-specific queries.
Host-Side Interfaces and IGMP Snooping Proxy Mode
No reports are sent on host-side interfaces by IGMP snooping in proxy mode. IGMP snooping processes reports received on these interfaces and sends group-specific queries onto host-side interfaces when it receives a leave message on the interface. Host-side interfaces do not generate periodic general queries, but forwards or floods general queries received from multicast-router interfaces.
If a group is removed from a host-side interface and this was the last host-side interface for that group, a leave is sent to the multicast-router interfaces. If a group report is received on a host-side interface and this was the first host-side interface for that group, a report is sent to all multicast-router interfaces.
IGMP Snooping and Bridge Domains
IGMP snooping on a VLAN is only allowed for the legacy vlan-id all case. In other cases, there is a specific bridge domain configuration that determines the VLAN-specific configuration for IGMP snooping.
Configuring IGMP Snooping
To configure Internet Group Management Protocol (IGMP) snooping, include the igmp-snooping statement:
You can include this statement at the following hierarchy levels:
[edit bridge-domains bridge-domain-name protocols]
[edit routing-instances routing-instance-name bridge-domains bridge-domain-name protocols]
By default, IGMP snooping is not enabled. Statements configured at the VLAN level apply only to that particular VLAN.
Configuring VLAN-Specific IGMP Snooping Parameters
All of the IGMP snooping statements configured with the igmp-snooping statement, with the exception of the traceoptions statement, can be qualified with the same statement at the VLAN level. To configure IGMP snooping parameters at the VLAN level, include the vlan statement:
You can include this statement at the following hierarchy levels:
[edit bridge-domains bridge-domain-name protocols igmp-snooping]
[edit routing-instances routing-instance-name bridge-domains bridge-domain-name protocols igmp-snooping]
Example: Configuring IGMP Snooping
This example shows how to configure IGMP snooping. IGMP snooping can reduce unnecessary traffic from IP multicast applications.
This example uses the following hardware components:
One MX Series router
One Layer 3 device functioning as a multicast router
Before you begin:
Configure the interfaces. See the Interfaces User Guide for Security Devices.
Configure an interior gateway protocol. See the Junos OS Routing Protocols Library.
Configure a multicast protocol. This feature works with the following multicast protocols:
Overview and Topology
IGMP snooping controls multicast traffic in a switched network. When IGMP snooping is not enabled, the Layer 2 device broadcasts multicast traffic out of all of its ports, even if the hosts on the network do not want the multicast traffic. With IGMP snooping enabled, a Layer 2 device monitors the IGMP join and leave messages sent from each connected host to a multicast router. This enables the Layer 2 device to keep track of the multicast groups and associated member ports. The Layer 2 device uses this information to make intelligent decisions and to forward multicast traffic to only the intended destination hosts.
This example includes the following statements:
proxy—Enables the Layer 2 device to actively filter IGMP packets to reduce load on the multicast router. Joins and leaves heading upstream to the multicast router are filtered so that the multicast router has a single entry for the group, regardless of how many active listeners have joined the group. When a listener leaves a group but other listeners remain in the group, the leave message is filtered because the multicast router does not need this information. The status of the group remains the same from the router's point of view.
immediate-leave—When only one IGMP host is connected, the immediate-leave statement enables the multicast router to immediately remove the group membership from the interface and suppress the sending of any group-specific queries for the multicast group.
When you configure this feature on IGMPv2 interfaces, ensure that the IGMP interface has only one IGMP host connected. If more than one IGMPv2 host is connected to a LAN through the same interface, and one host sends a leave message, the router removes all hosts on the interface from the multicast group. The router loses contact with the hosts that properly remain in the multicast group until they send join requests in response to the next general multicast listener query from the router.
When IGMP snooping is enabled on a router running IGMP version 3 (IGMPv3) snooping, after the router receives a report with the type BLOCK_OLD_SOURCES, the router suppresses the sending of group-and-source queries but relies on the Junos OS host-tracking mechanism to determine whether or not it removes a particular source group membership from the interface.
query-interval—Enables you to change the number of IGMP messages sent on the subnet by configuring the interval at which the IGMP querier router sends general host-query messages to solicit membership information.
By default, the query interval is 125 seconds. You can configure any value in the range 1 through 1024 seconds.
query-last-member-interval—Enables you to change the amount of time it takes a device to detect the loss of the last member of a group.
The last-member query interval is the maximum amount of time between group-specific query messages, including those sent in response to leave-group messages.
By default, the last-member query interval is 1 second. You can configure any value in the range 0.1 through 0.9 seconds, and then 1-second intervals from 1 through 1024 seconds.
query-response-interval—Configures how long the router waits to receive a response from its host-query messages.
By default, the query response interval is 10 seconds. You can configure any value in the range 1 through 1024 seconds. This interval should be less than the interval set in the query-interval statement.
robust-count—Provides fine-tuning to allow for expected packet loss on a subnet. It is basically the number of intervals to wait before timing out a group. You can wait more intervals if subnet packet loss is high and IGMP report messages might be lost.
By default, the robust count is 2. You can configure any value in the range 2 through 10 intervals.
group-limit—Configures a limit for the number of multicast groups (or [S,G] channels in IGMPv3) that can join an interface. After this limit is reached, new reports are ignored and all related flows are discarded, not flooded.
By default, there is no limit to the number of groups that can join an interface. You can configure a limit in the range 0 through a 32-bit number.
host-only-interface—Configure an IGMP snooping interface to be an exclusively host-side interface. On a host-side interface, received IGMP queries are dropped.
By default, an interface can face either other multicast routers or hosts.
multicast-router-interface—Configures an IGMP snooping interface to be an exclusively router-facing interface.
By default, an interface can face either other multicast routers or hosts.
static—Configures an IGMP snooping interface with multicast groups statically.
By default, the router learns about multicast groups on the interface dynamically.
Figure 1 shows networks without IGMP snooping. Suppose host A is an IP multicast sender and hosts B and C are multicast receivers. The router forwards IP multicast traffic only to those segments with registered receivers (hosts B and C). However, the Layer 2 devices flood the traffic to all hosts on all interfaces.
Figure 2 shows the same networks with IGMP snooping configured. The Layer 2 devices forward multicast traffic to registered receivers only.
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IGMP snooping:
Configure the bridge domain.[edit bridge-domains domain1]user@host# set domain-type bridgeuser@host# set interface ge-0/0/1.1user@host# set interface ge-0/0/2.1user@host# set interface ge-0/0/3.1
Enable IGMP snooping and configure the router to serve as a proxy.[edit bridge-domains domain1]user@host# set protocols igmp-snooping proxy
Configure the limit for the number of multicast groups allowed on the ge-0/0/1.1 interface to 50.[edit bridge-domains domain1]user@host# set protocols igmp-snooping interface ge-0/0/1.1group-limit 50
Configure the router to immediately remove a group membership from an interface when it receives a leave message from that interface without waiting for any other IGMP messages to be exchanged.[edit bridge-domains domain1]user@host# set protocols igmp-snooping immediate-leave
Statically configure IGMP group membership on a port.[edit bridge-domains domain1]user@host# set protocols igmp-snooping interface ge-0/0/3.1 static group 22.214.171.124
Configure an interface to be an exclusively router-facing interface (to receive multicast traffic).[edit bridge-domains domain1]user@host# set protocols igmp-snooping interface ge-0/0/2.1 multicast-router-interface
Configure an interface to be an exclusively host-facing interface (to drop IGMP query messages).[edit bridge-domains domain1]user@host# set protocols igmp-snooping interface ge-0/0/1.1 host-only-interface
Configure the IGMP message intervals and robustness count.[edit bridge-domains domain1]user@host# set protocols igmp-snoopingrobust-count 4user@host# set protocols igmp-snooping query-last-member-interval 0.1user@host# set protocols igmp-snooping query-interval 200user@host# set protocols igmp-snooping query-response-interval 0.4
If you are done configuring the device, commit the configuration.user@host# commit
Confirm your configuration by entering the show bridge-domains command.
To verify the configuration, run the following commands:
Configuring IGMP Snooping Trace Operations
Tracing operations record detailed messages about the operation of routing protocols, such as the various types of routing protocol packets sent and received, and routing policy actions. You can specify which trace operations are logged by including specific tracing flags. The following table describes the flags that you can include.
Trace all operations.
Trace general flow.
Trace group operations.
Trace host notifications.
Trace leave group messages (IGMPv2 only).
Trace normal events.
Trace all IGMP packets.
Trace policy processing.
Trace IGMP membership query messages.
Trace membership report messages.
Trace routing information.
Trace state transitions.
Trace routing protocol task processing.
Trace timer processing.
You can configure tracing operations for IGMP snooping globally or in a routing instance. The following example shows the global configuration.
To configure tracing operations for IGMP snooping:
- Configure the filename for the trace file.
- (Optional) Configure the maximum number of trace files.
- (Optional) Configure the maximum size of each trace file.
- (Optional) Enable unrestricted file access.
- Configure tracing flags. Suppose you are troubleshooting issues with a policy related to received packets on a particular logical interface with an IP address of 192.168.0.1. The following example shows how to flag all policy events for received packets associated with the IP address.
- View the trace file.user@host> file list /var/loguser@host> file show /var/log/igmp-snoop-trace