Multicast IGMP

Similar Messages

• Enabling VM Guest NLB w/Multicast IGMP on 2012 Hyper-V host w/ converged SCVMM fabric switch

  What a mouthful.
  As short as possible: 
  WHAT I'M ATTEMPTING:
  I'm trying to build a new NLB cluster for a 2008 R2 SP1 Remote Desktop Services farm. And I'm trying to do it the right way, with multicast igmp, not unicast. 
  The two guest VMs with NLB install converge fine. VIP gets this:
  IP: 192.168.100.157
  MAC: 01-00-5e-7f-64-9d
  NLB NIC is on the same VLAN & "Converged switch" in VMM as our mgmt/server traffic (That is to say it's on production VLAN, not on a separate vlan) 
  PROBLEM:
  Can't ping 100.157. From VM guest itself, from host, or from Cisco 6509 switch. 
  Cisco show mac address lookup does not see that MAC anywhere
  show ip igmp groups shows not igmp traffic at all. Clearing counters show sno multicast increment.
  FURTHERMORE:
  Host is setup thusly:
  - Dell R810
  - 8x1GbE Broadcom 5709c in a Server 2012 LACP/HASH team built via VMM powershell cmdlets
  - On the physical switch side, those 8 nics are in a Cisco port-channel, trunked, all VLANs allowed
  -  Host has no "physical" nics per se, as in a 2008 R2 hyper-v host. Instead Host has these:
  Set-VMNetworkAdapter -ManagementOS -Name "Live Migrate" -MinimumBandwidthWeight 35
  Set-VMNetworkAdapter -ManagementOS -Name "MGMT" -MinimumBandwidthWeight 25
  Set-VMNetworkAdapter -ManagementOS -Name "CSV" -MinimumBandwidthWeight 40
  Set-VMNetworkAdapter -ManagementOS -Name "iSCSI #1" -MinimumBandwidthWeight 0
  Set-VMNetworkAdapter -ManagementOS -Name "iSCSI #2" -MinimumBandwidthWeight 0
  Set-VMNetworkAdapter -ManagementOS -Name "Aux" -MinimumBandwidthWeight 0
  Get-VMSwitch outputs this on the converged v-switch: 
  ComputerName : My-host
  Name : My awesome switch
  Id : e2377ce3-12b4-4243-9f51-e14a21f91844
  Notes :
  SwitchType : External
  AllowManagementOS : True
  NetAdapterInterfaceDescription : Microsoft Network Adapter Multiplexor
  Driver
  AvailableVMQueues : 0
  NumberVmqAllocated : 0
  IovEnabled : False
  IovVirtualFunctionCount : 0
  IovVirtualFunctionsInUse : 0
  IovQueuePairCount : 0
  IovQueuePairsInUse : 0
  AvailableIPSecSA : 0
  NumberIPSecSAAllocated : 0
  BandwidthPercentage : 0
  BandwidthReservationMode : Weight
  DefaultFlowMinimumBandwidthAbsolute : 0
  DefaultFlowMinimumBandwidthWeight : 1
  Extensions : {Microsoft NDIS Capture, Microsoft
  Windows Filtering Platform, Microsoft
  VMM DHCPv4 Server Switch Extension}
  IovSupport : False
  IovSupportReasons : {This network adapter does not support
  SR-IOV.}
  IsDeleted : False
  Question:
  Aside from a few of my favorite MS MVPs (shout out to
  WorkingHardInIt for having this same question), I can't find much documentation on employing 2008 R2 NLB on guest VM within a fabric-oriented, VMM-built 2012 Hyper-Visor converged switch (no network virtualization...yet).
  Yes I know all about VMM NLB but 1) I'm trying to wedge NLB in after building these VMs without a service template (NLB is the audible, essentially) and 2) MS NLB is configured in providers & I've created requisite VIP templates. 
  Even so, I ought to be able to create an NLB cluster without VMM's assistance in this scenario correct? Suboptimal, I know but possible, yes? Essentially I've put to synthetic NICs on each VM, set IPs manually, and assigned them to the same vlan. I can ping
  each synthetic NIC, but not the cluster IP. 
  And yes: these particular vNICs have Mac Address Spoofing enabled. 
  Cisco:
  I have a TAC case open with Cisco, but they can't quite figure it out either. IGMP Snooping enabled across the switch. And they insist that the old static arp entry to resolve this problem is no longer necessary, that Microsoft now complies with relevant
  RFCs
  Possible SOlution:
  Only thing I can think of is flipping MulticastForwarding param below from disabled to enabled. Anybody ever tried it on a converged virtual switch on the Hyper visor? Is my virtual converged switch protecting
  me from multicast igmp packets? 
  PS C:\utilities> Get-NetIPv4Protocol
  DefaultHopLimit : 128
  NeighborCacheLimit(Entries) : 1024
  RouteCacheLimit(Entries) : 128
  ReassemblyLimit(Bytes) : 1560173184
  IcmpRedirects : Enabled
  SourceRoutingBehavior : DontForward
  DhcpMediaSense : Enabled
  MediaSenseEventLog : Disabled
  IGMPLevel : All
  IGMPVersion : Version3
  MulticastForwarding : Disabled
  GroupForwardedFragments : Disabled
  RandomizeIdentifiers : Enabled
  AddressMaskReply : Disabled
  Thanks for any thoughts. 
  Robert

  Sorry for the poor follow-up Steven. We are using Server 2012 Hyper-V, not VMWare, on the hosts. You can close this but for the benefit of anyone who comes across it: 
  After working with Cisco, we decided not to implement multicast IGMP. Cisco says you still need to create a static ARP entry on the physical switch, though my cluster IP address & Microsoft NLB 2008 R2 were set up with igmp multicast, not multicast or
  unicast. Here was his email:
  Yes, we will need the static mapping for the NLB server in this case because the NLB mac address is multicast and the IP address is unicast. I was under the impression that even the server would be using IGMP but that’s not
  the case. We won’t need to do the mapping for the nodes though if they use IGMP. To this end, following is the configuration that should make this work.rp 192.168.100.157
  0100.5e7f.649d arpa
  <u5:p></u5:p>
  mac address-table static 0000.0000.649d vlan <> interface <> disable-snooping  
  ßThis is the switch interface where the NLB server is located<u5:p></u5:p>
   interface vlan<>
  <u5:p></u5:p>
  ip pim sparse-dense-mode     <- This is needed for the switch to elicit IGMP joins from the nodes<u5:p></u5:p>
  end<u5:p></u5:p>
  I don't think it got through to him that there was a virtual Layer 2/3 Hyper-V switch on top of 8 teamed GbE interfaces in LACP/hash. "Where the NLB server is located" = 1)a Cisco port-channel bound to one of six physical hosts; the NLB VM itself could be
  on any of those port channels at any given time (We have a six node Hyper-V cluster). 
  Once I enabled pim I did see activity; but we killed this later as we realized we'd have to implement the same on 40+ managed routers globally
  Anyway we further would have had to implement this across managed routers at 40 sites globally according to Cisco. 
  Robert

• Multicast (IGMP) in new  air port extreme??

  multicast (IGMP) in new  air port extreme??

  You can get to IGMP settings going to AirPort utility. In network tab there are extended network options tab then enable IGMP tracking (or something like this, I don't know how it named in english version)
  Ed.
  But! If you enable this option, this won't get multicast to you.
  You still won't connect to multicast streams on 224.0.0.0-224.0.0.255
  Message was edited by: A1l3

• Some basic problems with multicast, IGMP & NLB

  Hi out there
  We have two DC's with 10G interconnection in  between - these connections are run as L2 links - put into a set of  nexus 5000 (the old nx5020) - acting access-switches - and uplinked to a  set of nexus 7009 which act as L3 switch for us.
  We  have a cluster of vmware boxes in each site and are running MS windows  2008 machines with MS NLB for TerminalServices - in IGMP multicast mode -  in VLAN 21.
  Now I looked in the log of the nexus 7000 and found that the PIM DR is "flapping" between the two sites from time to time:
  2013  Nov 25 22:50:58 ve-coresw-01 %PIM-5-DR_CHANGE:  pim [26128]  DR change  from 172.21.159.253 to 172.21.144.3 on interface Vlan21
  2013 Nov  25 22:51:54 ve-coresw-01 %PIM-5-DR_CHANGE:  pim [26128]  DR change from  172.21.144.3 to 172.21.159.253 on interface Vlan21
  2013 Nov 25  23:26:07 ve-coresw-01 %PIM-5-DR_CHANGE:  pim [26128]  DR change from  172.21.159.253 to 172.21.144.3 on interface Vlan21
  2013 Nov 25  23:26:10 ve-coresw-01 %PIM-5-DR_CHANGE:  pim [26128]  DR change from  172.21.144.3 to 172.21.159.253 on interface Vlan21
  I am not that familiar with multicast but the basic concepts are there - in the vrf I have defined
  ip pim ssm range 232.0.0.0/8
  the vlan is defined as:
  vlan configuration 21
    layer-2 multicast lookup mac
  vlan 2001
  under the SVI interface vlan 21 I have also defined - and there is a sample showning the nlb
  interface Vlan21
    vrf member DMZ_21
    no ip redirects
    ip address 172.21.144.3/20
    ip pim sparse-mode
    ip arp 172.21.149.19 0100.5E7F.9513
  these flapping should only occur if the keep-alives between the two sites are missed 3 times
  The uplinks to the nexus 5000 are defined as mrouters
  vlan 21
    ip igmp snooping mrouter interface port-channel5
    ip igmp snooping mrouter interface port-channel16
  SW5020-01# sh ip igmp snooping vl 21
  IGMP Snooping information for vlan 21
    IGMP snooping enabled
    IGMP querier present, address: 172.21.144.3, version: 2, interface port-channel5  -> the DR on the nx7k
    Switch-querier disabled
    IGMPv3 Explicit tracking enabled
    IGMPv2 Fast leave disabled
    IGMPv1/v2 Report suppression enabled
    IGMPv3 Report suppression disabled
    Link Local Groups suppression enabled
    Router port detection using PIM Hellos, IGMP Queries
    Number of router-ports: 3
    Number of groups: 3
    VLAN vPC function enabled
    Active ports:
      Po10        Po15    Eth1/3  Eth1/11
      Eth1/12     Eth1/13 Eth1/14 Eth1/15
      Eth1/16     Eth1/17 Eth1/18 Eth1/19
      Eth1/20     Eth1/25 Eth1/26 Eth1/27
      Eth1/28     Eth1/29 Eth1/30 Eth1/31
      Eth1/32     Po16    Po5
  The  link between the two sites - and boxes - is running error-free. As far  as I can see there hasn't been any problems in that vlan since ??
  If I look at f.ex spanning-tree the topology hast changed for long time in that vlan (2 weeks).
  Could I harden the igmp multicast setup?
  What is happening when a DR is changing? Will the multicast stop work or what happens?
  As  far as I understood the DR is the service which forwards the multicast  traffic to the groups so if suddenly some re-negotiation occurs I would  expect that the active traffic will be interrupted.
  here the actual MS NLB clusters adresses:
  SW5020-01# sh ip igmp snooping groups vl 21
  Type: S - Static, D - Dynamic, R - Router port
  Vlan  Group Address      Ver  Type  Port list
  21  */*                -    R     Po10 Po16 Po5
  21  239.255.149.19     v1   D     Eth1/14 Eth1/19 Eth1/32
  21  239.255.149.24     v1   D     Eth1/12 Eth1/15 Eth1/16
                                      Eth1/26 Eth1/31
  21  239.255.255.250    v2   D     Po15 Eth1/11 Eth1/28
                                      Eth1/29
  SW5020-01#
  Any suggeestions?

  What Is OneClickStarter.exe?
  OneClickStarter.exe is a type of EXE file associated with TuneUp Utilities 2013 developed by AVG Technologies for the Windows Operating System. The latest known version of OneClickStarter.exe is 13.0.4000.189, which was produced for Windows.
  This EXE file carries a popularity rating of 1 stars and a security rating of "UNKNOWN".
  Sounds like you have some misbehaving software on your system.  I would suggest a clean install to see if you still have all the problems you are reporting.

• Route streaming multicast+igmp

  Hi,
  Here is the problem: i have a pc connected to my broadband connection, and we have streaming of several tv stations and lectures through multicast,udp... I have also a laptop, but i couldn't find a way to play those streams on it. It looks like igmp packets aren't forwarded. I use iptables to share my connection and i allowed all traffic for the time being, but that didn't help.
  Has anyone any idea how to achieve this?
  Last edited by lman (2009-03-24 18:11:04)

  You can get to IGMP settings going to AirPort utility. In network tab there are extended network options tab then enable IGMP tracking (or something like this, I don't know how it named in english version)
  Ed.
  But! If you enable this option, this won't get multicast to you.
  You still won't connect to multicast streams on 224.0.0.0-224.0.0.255
  Message was edited by: A1l3

• Multicasting (IGMP Snoop) between Nortel and Cisco

  We are currently having issues with Zen imaging (multicasting) and our setup is the following.
  Please take into account, our knowledge is very limited with IGMP Snooping setup etc.
  MDF = 6 Nortel 450-24T's using FirmWare -1.48 / SoftWare - 4.5.2.4
  IGMP Settings are such :
  VLAN: [ 1 ]
  Snooping: [ Enabled ]
  Proxy: [ Disabled ] -----> This was on...but once off, runs much smoother.
  Robust Value: [ 2 ]
  Query Time: [ 125 seconds ]
  Set Router Ports: [ Version 1 ]
  In the MDF (anythig directly in those switches) images fine now. (once I disabled PROXY)
  However I have a few IDF's off the MDF that are using OLD Nortel 350F-HD's (no IGMP Snooping support) and it's horrible (can only do a few computers at a time.
  So in one of the IDF's (the biggest one) I pulled out the 350F-HD and replaced it with a CISCO 2950 w/Fiber and it's using 12.1.20EA1 and I left IGMP Snooping on (thinking this will fix it) and couldn't even get ONE machine to connect and image in the multicast session. It's settings were (by default):
  Global IGMP Snooping configuration:
  IGMP snooping : Disabled
  IGMPv3 snooping (minimal) : Enabled
  Report suppression : Enabled
  TCN solicit query : Disabled
  TCN flood query count : 2
  Vlan 1:
  IGMP snooping : Disabled
  Immediate leave : Disabled
  Multicast router learning mode : pim-dvmrp
  Source only learning age timer : 10
  I then completly disabled IGMP Snooping on the CISCO and we're able to Image 5-7 Computers without a crash (more than that and it crashes - disconnects etc)
  In the area's that I have All 450's or all CIsco's the imaging seems to go fine. (with minor errors)
  Can any one give me some advice (or hopefully ran into this mixed setup before)?
  Thank you.

  Bosalaza,
  Thank you for replying (and I read even more on the ip multicast routing). However I've not ran into the same issue at any school that has 100% cisco switches or 100% Nortels (that are setup correctly and not older than dirt). I think we've not needed the multicast routing setup as we only have one router on the network (and it's flat at the moment anyway). As long as IGMP Snooping is enabled correctly (on the switches) it seems to serve us well.
  Although from what I've read (where you pointed me too) it seems even in our setup we would benifeit from taking time to setup "ip pim ....." etc.
  I was able to scrounge from another network and change out a few very old Nortels (that didn't support IGMP Snoop) and all seems well now.
  So long story short (and incase anyone else needs this info. The Nortel 350T and F - HD's were the main issue. It seems (for now) that a mixture of Nortel 350/450-24T's (any model that at least has IGMP Snooping) and Cisco's mixed (also Snoop on) works pretty well.
  I'm going to consider this solved as I was able to fix it with changing out some old product. However I really appreciate your efforts and pointing my towards some good info. (Which I'm going to read up on more, as I'm sure we'll need to get it setup in the near future.)
  Thanks again.

• RA6700/WUMC710: Multicast IGMP V2 support?

  Dear readaers and supporters
  I hope to be able to use this setup of devices on a friends place. The use IPTV which is a multicast stream over IGMP V2/3.
  Unfortunately, I wasn't able to find any notes and specifications on both products support web pages.
  Can either Linksys/Cisco supporter(s) or users useing this setup provide me with informations that this is running and working without problems or give me any kind of suggestions?
  The final setup should look like this:
  VDSL-ISDN Modem --> EA6700 <---> WUMC710 --> Setop Box --> HDMI LCD TV
  Thank you in advance for anyones help and suggestions.
  Have a great time
  Greetings
  Thomas

  Hi thotha2007 ,
  You may try the set-up below. Let me know if you need further assistance.

• Multicast, IGMP and ACL's

  Hi!
  Maybe somebody can describe me why in ACL You are able to specify IGMP code only up to 15 while the
  number for Leave message is 0x17 (RFC2236)? Host report is not 2, and host query is not 1 in original packets
  but it is in ACL. I've dig all over the cisco site and didn't find nothing about it. This is serious security leak
  actually, it is possible to influence the multicast flow.
  Best regards Matvey Teplov

  Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
  If anyone else in the forum has some advice, please reply to this thread.
  Thank you for posting.

• SG300-28P Multicast (IGMP) and IGMP routing..

  A brief background on the setup:
  I recently switched out my switch.  It was a Cisco 3750 10/100 switch and I wanted to upgrade to Gig.  The cost of a Gig+POE 3750 is too much to bite so I opted for the SG300.  My router is a Cisco 891.  Here is the setup:
  Cisco 891:
  two SVI's: vlan1 and vlan 100
  Vlan1 = 10.0.1.1/24
  Vlan100 = 10.0.100.2/24
  Connected to SG300 via Fa0
  DHCP Server for vlan1+vlan100
  Cisco SG300-28P:
  two SVI's: vlan 1 and vlan 100
  vlan 1 = 10.0.1.21/24
  vlan 100 = 10.0.100.1/24
  Connected to 891 on via Gi18
  The connection between 891 and SG300 = trunk, vlan1-u, vlan100-t
  The problem:
  With the 891+3750, I was able to add "ip pim sparse-dense-mode" on all the SVI's and hosts could join any multicast group, irregardless of which vlan the host was a member of.
  Now I've changed switches, and I dont get the same love.  I have the PIM statement on both SVI's on the 891, but Im unsure of what I need to configure on the SG300.  I have enabled "Bridge multicast filtering" + "IGMP snooping".  What can I do to get similar functionality using the SG300 + 891?  I assume this is my lack of understanding IGMP in general, but was able to get away with it using the PIM statements on the 891+3750 stack.
  Jeff

  You should be able to filter unregisted multicast on every port.
  To be able to pass multicast over subnets two things must be certain, the node/device is able to send and receive multicast packets but also register the multicast address being listened to by the node so the local and remote routers can route the multicast packets.
  When the switch learns a multicast address through IGMP snooping, this is a registered multicast. The switch will only forward multicast to ports that are registered to the multicast group. Where unregistered multicast comes in, is the multicast that is not statically defined or learned through IGMP which in turn will be forwarded to all ports of the vlan.

• How to configure SFE2000 to filter multicast (IGMP is enabled)

  We have a SFE2000 switch and we're having trouble configuring IGMP snooping.  It is enabled but we are still seeing multicast traffic on ports which have definitely not done an IGMP join - indicating something is not right.  The literature on the switch says it supports IGMP snooping.  Can anyone advise or point me to a technical resource?  This switch is part of a standard package and we are looking at alternative suppliers since this switch is not doing what we need.  I'd like to confirm this switch can't do what we need or understand how to properly configure it before going elsewhere.  I have reviewed the manuals. I suspect the issue relates to configuring a multicast querier.  I don't see a way to do this on the SFE2000.  Our system is isolated so the SFE2000 is not connecting to a higher level switch.  The SFE2000 needs to act as the querier. Thanks in advance for any help/direction.  - Jim

  The following two links are related and interesting :
  http://www.plctalk.net/qanda/showthread.php?t=49905
  http://forums.linksysbycisco.com/linksys/board/message?board.id=Switches&thread.id=3043
  I'm not sure converting the SFE2000 to layer 3 will cause it to act as a querier or not. 

• Airserver multicast mDNS problem

  I have WLC 2504 running     7.4.100.0 with a single 1242AG AP
  single wireless SSID on the WLC
  an Apple AIRSERVER and an IPAD which should be able to do mirroring to show ipad screen on the pc
  they have IPs in same subnet and have base connectivity
  it just wont work! the ipad never sees the airplay server option come up
  BUT
  if i move these 2 systems to a cisco autonomous AP. or another commodity wireless LAN and have the 2 systems (pc/ipad) in same subnet it works
  if i have the pc on wired and the ipad (wireless obviously) this work on the autonomous or commodity AP fine
  so there is something "different" about using the WLC/LWAP right?
  i have tried with and without the various multicast options enabled etc
  please can anyone advise or help?
  many thanks
  dave

  thank you both for helping me and for the pointers.
  I have a config (attached)
  I have this update to the case:-
  laptop and iphone on same wireless LAN  (interface3) wireless LANcalled clients34
  With the command
  config mdns snooping DISable
  i can see the Airserver from the iPAD and it works (WITHIN) the wireless WLAN i.e. both on same WLAN and IP subnet
  if i issue
  config mdns snooping ENable
  the
  Airserver disappears and wont work
  it comes back as soon as i disable the mdns snooping
  this is consistently reproducible
  any ideas welcomed
  it never works between WLANs (so far!)
  dave
  here is the config
  config location expiry tags 5
  config interface address management 10.99.98.40 255.255.255.128 10.99.98.1
  config interface dhcp management primary 10.99.98.3
  config interface port management 1
  config interface vlan management 10
  config interface address virtual 1.1.1.1
  config interface address dynamic-interface clients33 10.10.33.6 255.255.255.0 10.10.33.1
  config interface create clients33 33
  config interface dhcp dynamic-interface clients33 primary 10.99.98.3
  config interface port clients33 2
  config interface vlan clients33 33
  config interface address dynamic-interface clients34 10.10.34.6 255.255.255.0 10.10.34.1
  config interface create clients34 34
  config interface dhcp dynamic-interface clients34 primary 10.99.98.3
  config interface port clients34 2
  config interface vlan clients34 34
  config 802.11b 11gsupport enable
  config 802.11b cac voice sip bandwidth 64 sample-interval 20
  config 802.11b cac voice sip codec g711 sample-interval 20
  config 802.11b cleanair alarm device enable 802.11-nonstd
  config 802.11b cleanair alarm device enable jammer
  config 802.11b cleanair alarm device enable 802.11-inv
  config sysname Apple
  config logging traceinfo disable debugging
  config logging syslog level debugging
  config logging syslog level 7
  config logging syslog host 10.99.98.36
  config database size 2048
  config country US
  config advanced probe limit 2 500
  config advanced probe-limit 2 500
  config advanced 802.11a channel add 36
  config advanced 802.11a channel add 40
  config advanced 802.11a channel add 44
  config advanced 802.11a channel add 48
  config advanced 802.11a channel add 52
  config advanced 802.11a channel add 56
  config advanced 802.11a channel add 60
  config advanced 802.11a channel add 64
  config advanced 802.11a channel add 149
  config advanced 802.11a channel add 153
  config advanced 802.11a channel add 157
  config advanced 802.11a channel add 161
  config advanced 802.11b channel add 1
  config advanced 802.11b channel add 6
  config advanced 802.11b channel add 11
  config mdns service query enable AFP
  config mdns service create AFP _afpovertcp._tcp.local. query enable
  config mdns service query enable AirPrint
  config mdns service create AirPrint _ipp._tcp.local. query enable
  config mdns service query enable AirTunes
  config mdns service create AirTunes _raop._tcp.local. query enable
  config mdns service query enable AppleRemoteDesktop
  config mdns service create AppleRemoteDesktop _net-assistant._udp.local. query enable
  config mdns service query enable AppleTV
  config mdns service create AppleTV _airplay._tcp.local. query enable
  config mdns service query enable HP_Photosmart_Printer_1
  config mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local. query enable
  config mdns service query enable HP_Photosmart_Printer_2
  config mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. query enable
  config mdns service query enable Printer
  config mdns service create Printer _printer._tcp.local. query enable
  config mdns profile service add default-mdns-profile AirPrint
  config mdns profile service add default-mdns-profile AppleTV
  config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
  config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
  config mdns profile service add default-mdns-profile Printer
  config mdns profile create default-mdns-profile
  config mdns snooping enable
  config mobility group domain MOBGROUP
  config network rf-network-name RFGROUP
  config network telnet enable
  config network broadcast enable
  config network multicast igmp snooping enable
  config network multicast l2mcast disable service-port
  config network multicast l2mcast disable virtual
  config network multicast mld snooping enable
  config network multicast global enable
  config dhcp address-pool scope33 10.10.33.2 10.10.33.254
  config dhcp default-router scope33 10.10.33.1
  config dhcp create-scope scope33
  config dhcp network scope33 10.10.33.0 255.255.255.0
  config dhcp address-pool "scope 34" 10.10.34.2 10.10.34.254
  config dhcp default-router "scope 34" 10.10.34.1
  config dhcp create-scope "scope 34"
  config dhcp dns-servers "scope 34" 8.8.8.8
  config dhcp network "scope 34" 10.10.34.0 255.255.255.0
  config dhcp lease scope33 86400
  config dhcp enable scope33
  config dhcp lease "scope 34" 86400
  config license boot base
  config license agent max-sessions 9
  config 802.11a cac voice sip bandwidth 64 sample-interval 20
  config 802.11a cac voice sip codec g711 sample-interval 20
  config 802.11a cleanair alarm device enable 802.11-nonstd
  config 802.11a cleanair alarm device enable jammer
  config 802.11a cleanair alarm device enable 802.11-inv
  config nmsp notification interval rssi rfid 2
  config certificate generate webauth
  config wlan mfp client enable 1
  config wlan mfp client enable 3
  config wlan mfp client enable 4
  config wlan dhcp_server 1 10.99.98.3 required
  config wlan security ft over-the-ds disable 1
  config wlan security wpa wpa1 ciphers aes enable 1
  config wlan security wpa wpa1 ciphers tkip enable 1
  config wlan security wpa wpa1 enable 1
  config wlan security wpa wpa2 ciphers aes disable 1
  config wlan security wpa wpa2 disable 1
  config wlan security wpa akm psk set-key hex encrypt 1 a1f6e0bbf14d724dc3f66873d6f810a6 786fcab479dd2b3ab7fe1e79eb569f3bcd8bec22 48 db307698ce2f6146a19f3b40cb7a52b39b8062c5d6f8f0f37d60dc98cde78d6a1e8aea0014292f6192cd1a06a447fccd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1
  config wlan security wpa akm psk enable 1
  config wlan security wpa akm 802.1x disable 1
  config wlan security wpa enable 1
  config wlan security web-auth server-precedence 1 local radius ldap
  config wlan security wapi akm psk set-key hex encrypt 1 a1f6e0bbf14d724dc3f66873d6f810a6 786fcab479dd2b3ab7fe1e79eb569f3bcd8bec22 48 db307698ce2f6146a19f3b40cb7a52b39b8062c5d6f8f0f37d60dc98cde78d6a1e8aea0014292f6192cd1a06a447fccd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1
  config wlan dhcp_server 3 10.99.98.3 required
  config wlan security ft over-the-ds disable 3
  config wlan security wpa wpa1 ciphers aes enable 3
  config wlan security wpa wpa1 enable 3
  config wlan security wpa wpa2 ciphers aes disable 3
  config wlan security wpa wpa2 disable 3
  config wlan security wpa akm psk set-key hex encrypt 1 42a623f34bd4ac9f6c4d8415be540e52 aa8f5add9351816443d374a3fa1cd76ee34ec325 48 83269c2ab1bfffb0717cf80763bf2be8e30af9de5d784f132deef8aba1ef463d37eda9fcca7b3edac4f16806799bddb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3
  config wlan security wpa akm psk enable 3
  config wlan security wpa akm 802.1x disable 3
  config wlan security wpa enable 3
  config wlan security web-auth server-precedence 3 local radius ldap
  config wlan security wapi akm psk set-key hex encrypt 1 42a623f34bd4ac9f6c4d8415be540e52 aa8f5add9351816443d374a3fa1cd76ee34ec325 48 83269c2ab1bfffb0717cf80763bf2be8e30af9de5d784f132deef8aba1ef463d37eda9fcca7b3edac4f16806799bddb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3
  config wlan dhcp_server 4 10.99.98.3 required
  config wlan security ft over-the-ds disable 4
  config wlan security wpa wpa1 ciphers aes enable 4
  config wlan security wpa wpa1 enable 4
  config wlan security wpa wpa2 ciphers aes disable 4
  config wlan security wpa wpa2 disable 4
  config wlan security wpa akm psk set-key hex encrypt 1 5032332e8e93f8a77f2d0e2f97d411e4 37dee84d8d542d677ead99c9a06b559c3c6c39e7 48 d5576ca89f5c5201557c2a30274ac2034f0881e1502f22d0fb59b2ea05c338c9e09c57844efaa2d20967d8931c7b795c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4
  config wlan security wpa akm psk enable 4
  config wlan security wpa akm 802.1x disable 4
  config wlan security wpa enable 4
  config wlan security web-auth server-precedence 4 local radius ldap
  config wlan security wapi akm psk set-key hex encrypt 1 5032332e8e93f8a77f2d0e2f97d411e4 37dee84d8d542d677ead99c9a06b559c3c6c39e7 48 d5576ca89f5c5201557c2a30274ac2034f0881e1502f22d0fb59b2ea05c338c9e09c57844efaa2d20967d8931c7b795c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 4
  config wlan nasid Cisco_88:af:84 1
  config wlan broadcast-ssid enable 1
  config wlan interface 1 management
  config wlan nasid Cisco_88:af:84 3
  config wlan broadcast-ssid enable 3
  config wlan interface 3 clients34
  config wlan nasid Cisco_88:af:84 4
  config wlan broadcast-ssid enable 4
  config wlan interface 4 clients33
  config wlan create 1 wall wall
  config wlan session-timeout 1 1800
  config wlan create 3 clients34 clients34
  config wlan session-timeout 3 1800
  config wlan create 4 clients33 clients33
  config wlan session-timeout 4 1800
  config wlan exclusionlist 1 60
  config wlan exclusionlist 3 60
  config wlan exclusionlist 4 60
  config wlan wmm allow 1
  config wlan wmm allow 3
  config wlan mdns disable 3
  config wlan wmm allow 4
  config wlan enable 1
  config wlan enable 3
  config wlan enable 4
  config ap packet-dump truncate 0
  config ap packet-dump buffer-size 2048
  config ap packet-dump capture-time 10
  config mgmtuser add encrypt admin 1 321719832e36efcfeefd2273c587a40e 5b6894ae997a61fda287052deb92ad880db51682 16 87acec2a7c4ebbed6eee748deb8b111c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write
  config mgmtuser add encrypt l8admin 1 f2fbd280a591024db06b5e26e3aea6f0 0a6c6ee6cd7de16f828232164d3edeefdce05f4a 16 ba42eb8ce58babcf06c6e402e96353d60000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write
  config rfid timeout 1200
  config rfid status enable
  config rfid mobility pango disable
  transfer upload path /
  transfer upload datatype config
  transfer upload serverip 172.29.254.1
  transfer upload filename Daves_WLC.txt
  transfer download path /
  transfer download serverip 172.29.254.1
  transfer download filename Daves_WLC.txt

• Multicast Spillover

  I am a newbie to network switch configuration and my group recently bought an SG 300-28 Gigabit Managed Switch.
  It appears by default to spill over (forward) all multicast traffic to all ports.
  I want to reconfigure it to only forward multicast traffic to the ports that have joined that specific multicast.
  I currently have one connection to our business LAN (10.45.x.x) for configuration on g24.
  I have a PC (192.168.1.153) connected to g1 that is streaming out 2 multicast feeds (239.255.5.5:5005 and 239.255.6.6:5006)
  I have another PC (192.168.1.159) connected to g13 that can receive 1, 2 or niether multicast feed(s). 
  I see that there is a multicast menu in the user GUI, but I'm not sure what items I should be modifying.
  Any help would be appreciated.
  Doug   

  Thanks Thomas,
  Perhaps I should clarify that the multicast traffic is successfully getting to the destination PC.  That is not the problem.
  What I am trying to do is:
  1.  Prevent the multicast traffic from cluttering up our business LAN (the connection on g24)
  2.  Save bandwidth on each connection by only sending multicasts to those ports that request to join the multicast.
  Although my test is using only 2 multicasts, once I have the switch configured I will put it into a system that has dozens (approaching 100) multicast streams on it.  The multicasts will quickly use up all bandwidth on all ports if they are being forwarded to all ports.
  So I read through the Administration guide and:
  1. Under Multicast->Properties I enabled "Bridge Multicast Filtering Status"
  2. Under Multicast->IGMP snooping I enabled "IGMP Snooping Status" and enabled IGMP snooping on all VLANs using IGMP v3.
  3. Under Multicast->Forward All I left all ports in all VLANs set to "None"
  4. Under Multicast->Unregistered Multicast I set g1-g24 to "filtering" and left g25-g28 as "Forwarding"
  In order to test whether it was working as expected, I went to Status and Statistics->Interface, chose g1 (the multicast source), 15 second refresh rate, and Clear all Interface Counters, then I watched how the Multicast counters incremented each 15 seconds.
  I did the same with g13 (the multicast receiver) under various conditions (receiving only 1 multicast, both multicasts, no multicasts, PC turned off, ethernet cable unplugged)
  The Multicast TX counter increments about 14k-15k each 15 seconds when both multicasts are received, about 12k each 15 seconds when one multicast is received or no multicasts are received (like when the PC is turned off but the ethernet cable is still plugged in).  It doesn't increment when the ethernet cable is unplugged from the receiving PC.
  So I'm not sure if these counters are a good metric, but I would expect the TX count to not increment if the PC is turned off (no multicasts are joined), and I would expect the count difference to be greater when 1 versus 2 multicasts are joined.
  Do you have a better way to verify whether the switch is behaving as expected?
  Doug

• SPS2024 and IGMP issues

  Hello
  I have have issues with using mutlicast stream with this device with following configuration:
  [ Uplink/Internet ] ------L3_link------- eth0_[ router (linux + PIM daemon)]_eth1 ====trunk==== g1_[ SPS2024 ]_g2 ----access---- PC
  - there is router on stick configuration between router and switch with following details:
  eth1 (without IP address) <====> Unused VLAN (VLAN500)
  eth1.10 <====> VLAN10
  eth1.11 <====> VLAN11
  eth1.12 <====> VLAN12
  - router is PIMv2 (in PIM-SM mode) and IGMPv2 capable router and it periodically sends IGMP queries into all three VLANS (10, 11, 12)
  And the main issue is, that computers connected to any VLAN are NOT receiving IGMP queries packets.
  Details:
  - I can see via tcpdump that igmp are periodically sent to all three (sub)interfaces eth1.10, eth1.11 and eth1.12
  - there is no firewall access rule on outgoing interfaces  (there is permit all outgoing)
  - when I run wireshark on comuters from any VLAN, I can't see multicasted IGMP queries
  - only IGMP traffic that I can see are IGMP report packets
  - situation is same when IGMP snooping is or is NOT enabled on VLAN interface or globally (...igmp snooping feature makes not any difference in this behavior)
  - here are some outputs:
  dist-sw# sh ip igmp snooping interface 10   <<<<<<<< same output for all three VLANs
  IGMP Snooping is globaly enabled
  IGMP Snooping is enabled on VLAN 10
  IGMP Snooping admin: enabled
  Routers IGMP version: 0
  Groups that are in IGMP version 2 compatibility mode:
  Groups that are in IGMP version 1 compatibility mode:
  IGMP snooping querier admin: disabled
  IGMP snooping querier oper: disabled
  IGMP snooping querier address admin:
  IGMP snooping querier address oper: 172.30.1.100  <<<<<< management IP address of this switch
  IGMP snooping querier admin version: 0
  IGMP host timeout is 260 sec
  IGMP Immediate leave is disabled. IGMP leave timeout is 10 sec
  IGMP mrouter timeout is 300 sec
  Automatic learning of multicast router ports is enabled
  dist-sw# show ip igmp snooping mrouter interface 10
  VLAN              Ports
  Detected multicast routers that are forbidden statically:
  VLAN              Ports
  so in real, mutlicast service is completely broken in this scenario.
  Working scenario 2:
  [ Uplink/Internet ] ------L3_link------- eth0_[ router (linux + PIM daemon)]_eth2 ----access---- g3_[ SPS2024 ]_g4 ----access---- PC
  In this scenario there is access link between router and SPS2024 switch which carries frames from single subnet/VLAN.
  In this scenario:
  - I can see IGMP queries via wireshark on PC connected to port g4
  - and multicasts are completely working  as expected
  - it is working regardless IGMP Snooping is enabled (on VLAN and globally) or not
  - BUT outputs from switch CLI are completely same as from first scenario (switch not recognized any IGMP querier on segment, nor PIMv4 packets (for determining mrouter port) (...in case when IGMP snooping was enabled)
  In summary:
  - this looks like this switch is not able to forward igmp queries in case when they comes from tagged VLANs via trunk port
  - switch is also not able to recognize mrouter nor igmp querier on segment (according outputs above)
  And finally questions:
  - is this correct behavior of this switch?
  - how can I fix it? I am using latest firmware 1.0.6, but this is same also with older version 1.0.2
  - are there any debug commands available (to see packets receiving, igmp snooping working and so on) like from Catalyst switches?
  Many thanks for any help

  nevermind it finally decided to work.

• Airport wifi problems with uverse and gigabit switch resolved

  I think there is a bug in airport firmware 7.6 with how spanning tree works in addition to problems with the Uverse router. Having an Airport with a uverse 2wire 3801 and gigabit switch will not work. Putting the extreme in NAT mode with DMZ plus behind the uverse resolved the problem.
  Network configuration:
  Uverse 2wire 3801 router
      3801 provides prioritization for upstream traffic so skype and VoIP work better when doing a lot of stuff on Internet
  Airport extreme firmware 7.6
  two airport express 802.11n hardwired to extreme. Set up in bridge mode. All access points have same SSID "create a network" to enable roaming. Ignore anything to do with extending a network.  firmware 7.6
  two gigabit switches
      Netgear GS608 - 8 port gigabit switch
      Trendnet TEG-S80g - 8 port gigabit switch
      100BT 5 port switch - did not figure into problem
  Three Uverse set top boxes wired on Ethernet. They have to be wire directly to the 2wire box to work correctly. See: http://forums.att.com/t5/Features-and-How-To/At-amp-t-U-Verse-modem-setup-Airpor t-Extreme/td-p/2300785
  However, you need to be careful to place your own PCs and other internet devices on the network created by your gear (airport extreme in your case), but keep AT&T's set top boxes for the IPTV services IN FRONT of your own router - so they remain on AT&T's provided network.
  So it would work like this ...
  Network 1: 2wire RG (4 lan ports) ->  Any Set tops, and to the WAN port on your AirportExtreme
  Network 2: Airport Extreme LAN ports -> to any computers or internet devices (but not AT&T set top boxes).
  The RG prioritizes the traffic for your Uverse Voice and your Uverse TV ahead of internet data traffic, as it rationalizes data heading out of your home.  If you place your own equipment in that equation (like putting AT&T set top boxes behind your Airport Extreme) the performance and function of your AT&T set top boxes could really flake out on you.
  Symptom:
      Everything would be working fine, then intermittently all my wifi access points would stop working. ~6,000 ms latency, dropped packets. Ethernet worked fine. Here is an example of my macbook pinging the extreme when associated with the extreme over wifi with a strong signal.
  ping: sendto: Host is down
  Request timeout for icmp_seq 23
  Request timeout for icmp_seq 24
  64 bytes from 192.168.1.64: icmp_seq=25 ttl=255 time=267.051 ms
  Request timeout for icmp_seq 26
  Request timeout for icmp_seq 27
  Request timeout for icmp_seq 28
  64 bytes from 192.168.1.64: icmp_seq=26 ttl=255 time=3402.599 ms
  Request timeout for icmp_seq 30
  Request timeout for icmp_seq 31
  Request timeout for icmp_seq 32
  64 bytes from 192.168.1.64: icmp_seq=30 ttl=255 time=3060.673 ms
  64 bytes from 192.168.1.64: icmp_seq=34 ttl=255 time=24.115 ms
  64 bytes from 192.168.1.64: icmp_seq=35 ttl=255 time=31.056 ms
  64 bytes from 192.168.1.64: icmp_seq=36 ttl=255 time=39.828 ms
  Root cause:
      It looks like the 2wire 2801 router has a problem with spanning tree when interoperating with gigabit switches and airports. There is interplay with the airport.
  I did not have this problem until the 7.6 airport firmware. I had been using the Netgear hub for about a year with the extreme in bridge mode. I added the Trendnet hub and upgraded airport firmware at the same time which made fault isolation difficult.
  Problem recreation:
  Set up airport expresses hard wired to extreme
  Connect gigabit switch anywhere to network
  Everything OK
  Dettach one computer from wifi then reattach, then all wifi stops working. It takes a few seconds for the problem to propagate.
  Ethernet still works fine
  Problem Resolution:
  Connect to 2wire with ethernet
  Set 2wire route to have subnet as 192.168.2.x
  Set extreme in NAT mode behind 2wire. It will complain about double NAT. Override the warning. Set the subnet to 192.168.1.x so you don't have to change any static IP addresses. Note that 2wire uses 192.168.1.254 as default route whereas airport uses 192.168.1.1.
  I set DHCP to start at .10 to leave the lower addresses for assigning static IP addresses to computers I want to expose outside the firewall.
  Go into firewall settings. Select airport extreme. Select the bottom setting which is "DMZ Plus". When you go into the airport extreme settings, you will now see that it has the uverse public IP address on its WAN port. NAT port mappings work fine on the extreme behind the 2wire router.

  Keeping this very short here is a summary of the actual problem and solution to allow your Apple Airport Extreme to run in Bridge mode on the same subnet as your uVerse settop boxes (if your Layer 2 switch is configurable). 
  Devices: Uverse, Cisco SG300, and Airport Extreme
  uVerse uses Multicast to broadcast video streams between the uVerse network to the settop box, and from settop box to settop box.
  X number of Multicast Groups are created based on X number of settop boxes you have.  You can see the multicast definitions by logging into the webinterface of the iNid. Each settop box is a member and can choose to display a broadcasted TV stream or not.
  Multicast membership is setup by the use of ICMP messages for IPv4 (MLD for IPv6).  Each of the settop boxes become members of each others multicast group by reporting up to the iNid (MultiCast Proxy).
  In an ideal world a layer 2 switch will track these memberships and only forward a broadcast packet to the ports on the switch to which the settop boxes are connected to.  The switch would do these via snooping on the ICMP packets.  Most switches by default do not do this by default and simply forward the broadcast packett out every one of it's switch ports.
  Here in lies the problem.  Problem is that the Apple AES doesn’t do ICMP snooping / filtering and floods the wireless network with these broadcast streams.
  In order to fix this you must turn on ICMP snooping and filtering on the switch (or buy a switch that does this).  I have a Cisco SG300 and list out the configuration below.
  Other notes:
  Ensure that all Media renderers (settop boxes) and servers are wired directly off the switch and not attached to any of the Airport Express ports.  This way no media transverses the Airport (only control point traffic goes through the WiFi - which is fine).  Obviously if the IGMP snooping switch sees any client requesting Multicast streaming traffic on the same port as the WAP, it will add that Multicast address to the forwarding table for that port, and then, yes it could get flooded.
  Remember, you need to allow some Multicast traffic through your WAP to allow UPnP discovery to work (assuming that you will be using Wireless control points.)
  Read the Multicast chapter in the SG 300 switch Admin Guide as it explains things very well.
  Setting up multicast on the SG300s using the WebUI:
  1. Multicast/Properties/
  Tick enable Bridge Multicast Filtering Status for VLAN 1, and
  set the Forwarding Method to IP Group Address for both IPv4 & IPv6.
  2. Multicast/ IGMP snooping/
  Tick enable IGMP snooping status then select and edit the entry and ensure that IGMP querier status is ticked.
  It's essential for IGMP snooping to work that there must be at least one active IGMP querier on the network - if more than one is enabled, they will carry out an "election" to decide which one should be active (normally the one with the lowest IP address.)
  3. Multicast Router Port
  Set whichever port that is connected to the uVerse iNid to Status which means that it the uVerse router connected to this port is the Multicast Router
  4. Multicast/ Unregistered Multicast
  set all ports to Filtering. (The default is Forwarding.)
  There are a lot of other variables within all the above - the defaults are OK, you should probably leave them alone!
  In the config file you would then expect to see the above appearing as something like this:
  ip igmp snooping
  ip igmp snooping vlan 1
  ip igmp snooping vlan 1 immediate-leave
  interface vlan 1
  bridge multicast mode ipv4-group
  bridge multicast ipv6 mode ip-group
  interface range gi1-10
  bridge multicast unregistered filtering
  ip igmp snooping vlan 1 querier
  ip igmp snooping vlan 1 querier address <IP-Addr>

• 1.3.0.59 firmware issue

  I installed the 1.3.0.59 on a couple of SG300-28Ps.  On the Status and Statistics page, the PoE indicators no longer lit. Physically, on the front of the switch, they did still light.  I didn't yet reboot to factory defaults to see if that clears it, because I don't feel like entering the config again this early in the morning. But I am willing to test that, if needbe.
  When reverting the image back to 1.2.9.44 (tested) or possibly earlier, the ip default gateway must be re-entered (if it was configured). Even if ip-default gateway x.x.x.x shows up correctly on a 'show run', the switch will not obey it, and on the IPv4 settings page it will report the operational default gateway as blank. This came as a surprise becauset he switch suddenly wouldn't talk to the VPN anymore. Logging onto the switch locally, going to the IPv4 settings, ticking the radio button back on User Defined and typing it back in cleared that up. It appears this cropped up because the syntax for specifying the default gateway changed in 1.3.x but it's still odd that the config shows correctly in console but not in the gui.

  I see that Cisco have today released new firmware for the SG300 switches.
  http://software.cisco.com/download/release.html?mdfid=283019611&catid=268438038&softwareid=282463181&release=1.3.0.62&relind=AVAILABLE&rellifecycle=&reltype=latest
  http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/release_notes/R_1.3.0.62_RN_78-21240-01.pdf
  So soon after the last release, it’s obviously mainly a bugfix exercise.
  Hopefully it will address some of the issues above, and some of my own which include some strange multicast (IGMP snooping) issues which affected UPnP discovery, etc.  Also found that some other configurations got corrupted after upgrading to 1.3.0.59.
  Would be good to know if 1.3.0.62 fixes things not mentioned in the release notes
  Later edit:
  Well - I've tried 1.3.0.62 and despite the claim in the release notes that one of the defects fixed is:
  "After the firmware is upgraded from 1.2.9.44 to 1.3.0, the IP default gateway
  changes to default route. (CQ146158)"
  I am still finding in layer 2 mode that it is still stored as a route:
  "ip route 0.0.0.0 /0 10.2.3.7 metric 1"
  When you attempt to reload this config file, you get the error:
  "Status:
  Copy failed
  Error Message:
  Copy: Error in configuration download Line: 102 Command: ip route 0.0.0.0 /0 10.2.3.7 metric 1"
  Strangely, in layer 3 mode, it saves it as a default gateway setting:
  "ip default-gateway 10.2.3.7 "  which loads with no errors, despite the fact that the manual states that there is no "default gateway" in the layer 3 mode.
  This is the same behaviour as firmware 1.3.0.59. 
  Incidentally, I have been told that the performance of the SG300 switches is better if set to layer 3 mode, but only used as layer 2 (i.e. no routing or multiple IP addresses set.)  Anyone got any experience of this?
  Certianly it seems that with v1.3 firmware, the only way to avoid an error when reloading a config file is to set the switch to router mode.