Traffic Analysis of IGMPv3

If you want to know how the IGMPv1 & IGMPv2 works in packet level and how it is evolved, please go through the following posts.

Traffic Analysis of IGMPv1
Traffic Analysis of IGMPv2

Now the next level of IGMP has a special added feature called source specific multicast. Here the hosts can ask for a multicast feed from a specified source. All other features work pretty much the same as IGMPv2 except IGMPv3 uses several types of Membership Reports to Join, Reply and Leave which are discussed later and summarized at the end of the post.

So in this post, I am focusing on this new enhancements..

Let's analyze the traffic flow with a packet capture using this setup..





Here the hosts are also Cisco IOS routers.
Nothing is configured on the switch.
Host will be configured in the same multicast group.
Packets entering and leaving on e0/0 interface of Router will be captured..
debug ip igmp is entered on all devices..

(click on images to view in full size)

Configuring Router..

Router(config)#ip multicast-routing

Router(config)#int e0/0

Router(config-if)#ip igmp version 3
Router(config-if)#ip pim sparse-mode

1st command will enable the multicast routing globally.
Next the version is fixed for 3, because the default version is 2.

Finally a multicast routing protocol is specified for the interface to process the multicast packets.

As soon as the last interface command entered on Router, following debug messages will opt out..

224.0.1.40 group is not related to this lab, it is coming by default. This address is for Cisco RP discovery.

And the multicast routing table will be like the following on Router, show ip mroute

Configuring Host..

Host(config)#int e0/0

Host(config-if)#ip igmp version 3
Host(config-if)#ip igmp join-group 226.139.1.2 source 1.1.1.1

As soon as the above command entered on Host; debug output will give the following..

As you can see the Host is sending 3 Reports. Let's see the contents of them..

All these 3 messages which a host send when it wants to join a group for the 1st time are identical. It is like 3 copies of the same packet.

On Router, the debug output will show the following..

Router is taking the new multicast group in to the account..

Now the multicast routing table on Router-1 will be like the following with the new group entry..

Now for the General Query of the Router, the Host replies with a Membership Report which has a little different content.

This mode Include says which source is accepted for multicast feed for the group, by this host.

Let's see what happens when a Host leaves the group..

As you can see, the Host is sending 2 Reports of the same content. Let's analyze the packet..

This packet says not to send the feed from 1.1.1.1 to him (sending Host)..

The Router will reply with Source & Group Specific Queries to find out any other live hosts..

Packet Types Summary..

Unlike in IGMPv1 & IGMPv2; IGMPv3 uses 3 different types of Membership Reports to Join, Reply to a Query and to Leave a group.

Join -   Type 5 (Allow new sources)
Reply - Type 1 (Mode is Include)
Leave - Type 6 (Block old sources)

So the packet types seems to be using are,

1. Membership Report
2. Membership Query
3. Source & Group Specific Membership Query

Packet capture will look like the following and you can download from here.

Traffic Analysis of IGMPv2

Instead of simple Membership Report and Membership Query process of IGMPv1, there are some added new features in IGMPv2. Please go through the Traffic Analysis of IGMPv1 before reading this if you want to know how IGMPv1 worked originally.

Leave Group Messages: When a host stops listening to a multicast feed it reports the router that it is leaving the group. (report suppressed hosts will not send this, you will see it later..)

Group Specific Membership Query: When the router receives a leave group message, it will use a special query to that specific group address to check if there are still any hosts interested in receiving the multicast traffic.

MRT (Maximum Response Time) Field: This is a new field in query messages to specify how much time hosts have to respond to the query.

Querier Election Process: When there are two or more routers in the same subnet then only one of them should send query messages. The election ensures only one router becomes the Active Querier. The router with the lowest IP address wins the election.

To deliver the above features, IGMPv2 has 4 types of packets.

1. Membership Report
2. Membership Query
3. Leave Group Messages
4. Group Specific Membership Query

Here the hosts are also Cisco IOS routers.

Nothing is configured on the switch.

Hosts 1 & 2 will be configured in the same multicast group.

Packets entering and leaving on e0/0 interface of Router-1 will be captured..

debug ip igmp is entered on all devices..

(click on images to view in full size)



Configuration on the Routers..

Router-1(config)#ip multicast-routing

Router-1(config)#int e0/0
Router-1(config-if)#ip pim sparse-mode

1st command will enable the multicast routing globally. It is enabled by default on most routers.
Next a multicast routing protocol is specified for the interface to process the multicast packets. Default version is 2 for IGMP so don't want to specify the version here.

As soon as the interface command entered on Router-1, following debug messages will opt out..

224.0.1.40 group is not related to this lab, it is coming by default. This address is for Cisco RP discovery.

And the multicast routing table will be like the following on R1, show ip mroute

So even without any host in a multicast group, it will show an entry for the 224.0.1.40 making itself a host and processing IGMP packets.

Now let's configure Router-2 with the same commands..

As soon as the interface command entered on Router-2, following debug messages will opt out..

Also on Router-1, following debug output will be shown..

What happens when IGMP hellos are seen by routers is that they chose one querier as the Active Querier for that subnet. For the subnet of 192.168.10.0/24, Router-1 has elected as the querying router because it has the lowest IP.
We can verify that by entering the command, show ip igmp interface

Let's see what is showing on Router-1;

Ok now, you can see that both the routers have agreed that IGMP Querying Router to be 192.168.10.253. The other underlined information will be useful later in this post..

Configuration on Hosts..

Host-1(config)#int e0/0
Host-1(config-if)#ip igmp join-group 226.139.1.2

As soon as the above command entered on Host-1; debug output will give the following..

It is sending 2 reports at the same time.

On Router-1, the debug output will show the following..

Router-1 is taking the new multicast group in to the account..

Router-2, also do the same.. Because the Active Querier is Router-1, from now on we will analyze the behavior of Router-1..

Now the multicast routing table on Router-1 will be like the following with the new group entry..

Now let's see what happens when we configure another host.. I am configuring Host-2 with the same command..

Following output for the debug will be shown on Host-2..

It is also sending 2 reports. On Host-1, following will be the output after receiving the reports.

It looks like Host-1 is doing nothing about it.

On Router-1, following will be the output..

After receiving the new report from the new member, router is updating the exclude timer.. Both the routers will do the same..

Now what happens is that, Router-1 sends a query sequentially (default 1 min) and it sends it with a MRT (Maximum Response Time) which defaults to 10 seconds.

After Hosts see this, they take a random time which is lower than the maxim time given by the router, and sends a report after their chosen time is over. So the Host with the lowest time randomly chosen will be able to send the report 1st. When other hosts also receive the report, they stop sending their report because it is not necessary.

Following was the Host-1's debug when it set's it's time to respond and sends the report. You will notice it is 1.9 seconds and the Host-2 had 4.0 seconds which is larger.

But the Membership Report must send as the reply to the Membership Query of the Router ryt? So how come the other members receive it?

If you analyze a Membership Report packet you will see the destination address is not the router's IP, it is the multicast address of the group. (which also means that the router is listening to all the multicast mac addresses)

Let's see what happens when a Host leaves the group..

It will just delete the group and will not send a leave message as expected. Why??

Because this Host-2 is has suppressed sending reports. Last member to report for this group was Host-1. So leaving of all other hosts doesn't matter..

Now let's remove Host-1 from the group..

Now it is sending a leave message. Let's see what Router-1 will do about it..

After Router-1 sees this it sends the last type of packet, Group Specific Membership Query. This is sent to the 226.139.1.2 group specifically to ask whether there are any other members which needs the feed. If no report comes, the group will be excluded after 3 minutes which is the default IGMP Queryier timeout.

For the record, I will show some show command outputs of the switch while the multicast forwarding is working..

As you can see, the multicast mac addresses are not showing in the mac address table. So IGMP snooping will be the only way the switch knows where to forward the traffic..

Well, the switch knows where to find the querier..

And the members with group addresses too..

Please find the packet capture from here, it will be like the following..

Traffic Analysis of IGMPv1

IGMPv1 only has 2 types of packets.

1. Membership Report
2. Membership Query

Let's analyse the traffic flow after configuring the following setup.

Here the hosts are also Cisco IOS routers.

Nothing is configured on the switch.

Hosts 1 & 2 will be configured in the same multicast group. Host-3 will not participate in the lab.

Packets entering and leaving on e0/0 interface of Router will be captured..









Configuration on the Router..

Router(config)#ip multicast-routing 

Router(config)#int e0/0
Router(config-if)#ip igmp version 1
Router(config-if)#ip pim sparse-mode

1st command will enable the multicast routing globally. It is enabled by default on most routers.
Next the interface will be configured for IGMPv1 (v2 is the default) and then a multicast routing protocol is specified for the interface to process the multicast packets.

As soon as configured, the 1st packet will be a Membership report destined to 224.0.1.40 and it will be a self generated one from this interface of the router. 224.0.1.40 is the Cisco RP discovery IP.

Next packet will also be from the e0/0 of the router and it will be a Membership query packet destined to 224.0.0.1 which is for the all hosts of the segment.

As soon as this Query hits it's own interface, the router will again send a packet very similar to the 1st packet. Query is sent every 1 minute, and a Report from router itself will be sent again as soon as it sees it's own Query. This will continue until we configure Hosts..

Configuration on Hosts..

Host-1(config)#int e0/0
Host-1(config-if)#ip igmp join-group 226.139.1.2
Host-1(config-if)#ip igmp version 1

Host-2(config)#int e0/0
Host-2(config-if)#ip igmp join-group 226.139.1.2
Host-2(config-if)#ip igmp version 1

The 1st packet from a Host which is an IGMP report will be like the following.

As soon as the router hits with a membership report from a Host, the router will insert the multicast address to the IGMP groups and it will start sending the feed to the interface it received the Report. 

If debug ip igmp is enabled on both Router and Host, something like the following will be displayed.

The routing table will be shown like the following for this setup.

Router#show ip mroute

IGMPv1 has no mechanism to inform the router about leaving the group by hosts. So this will be the end of the packet flow. When one host decides to leave the group it will simply not reply the future Queries. If no Report is received, the router will stop sending the traffic on that interface.

All the packet flow of IGMPv1 of this lab will be like the following and the highlighted packet is the 1st packet by a host at the moment it decided to join the group. Download the packet capture from here.

If you want to see the traffic analysis of the current default version (IGMPv2) of this protocol and how the switch determines where to forward etc, please go here.

Multicast IP to MAC Address Conversion

The OUI (1st 24 bits of the MAC address / 1st 3 octets of the MAC address) is common for any multicast IP address. They are 01-00-5E. So the next 24 bits of the MAC address can be varied but actually we take only the last 23 bits from the IP address to replace the last 24 bits of the MAC address. So the 1st starting bit of the 4th octet is always 0..

01 - 00 - 5E - 0000 0000 - 0000 0000 - 0000 0000

Because we always fix the 1st bit to be 0 of the last 24 bits taken from the IP, there are 32 IP addresses for a given MAC address though there is only one MAC address for a given IP address. See the examples..

IP to MAC Conversion Example

Find the MAC address of 226.139.1.2

Take the last 3 octets and convert into binary (139.1.2)

1000 1011 . 0000 0001 . 0000 0010

Ignore the 1st bit and combine the 1st 25 bits of common MAC and last 23 bits of given IP..

01 - 00 - 5E - 0000 1011 . 0000 0001 . 0000 0010

which is --> 01-00-5E-0B-01-02


MAC to IP Conversion Example

Find the IP address of 01-00-5E-0B-01-02

Take the last 3 octets and convert into binary (OB-01-02)

0000 1011 . 0000 0001 . 0000 0010 -> 11.1.2

so the last 23 bits can be came from the following banaries too.

1000 1011 . 0000 0001 . 0000 0010 -> 139.1.2

So 16 IP address can be written from 11.1.2 and another 16 can be written from 139.1.2 as the last 3 octets of the IP.

224.11.1.2 - 239.11.1.2
224.139.1.2 - 239.139.1.2

So following are all the addresses which can be mapped to 01-00-5E-0B-01-02

224.11.1.2	224.139.1.2
225.11.1.2	225.139.1.2
226.11.1.2	226.139.1.2
227.11.1.2	227.139.1.2
228.11.1.2	228.139.1.2
229.11.1.2	229.139.1.2
230.11.1.2	230.139.1.2
231.11.1.2	231.139.1.2
232.11.1.2	232.139.1.2
233.11.1.2	233.139.1.2
234.11.1.2	234.139.1.2
235.11.1.2	235.139.1.2
236.11.1.2	236.139.1.2
237.11.1.2	237.139.1.2
238.11.1.2	238.139.1.2
239.11.1.2	239.139.1.2

Reserved Multicast IP Addresses

Class D range of IP addresses are reserved for multicast IP addresses which ranges from 224.0.0.0 to 239.255.255.255 which has 1110 as the 1st bits in 1st octet.

But within this range, there are several ip addresses which are reserved for some special purposes.
One such range is 224.0.0.0/24 which are reserved for routing protocols and cannot be routed by routers within subnets. This Block is called the Local Network Control Block.

I am ordering which I have come across so far..

Address(es)	Description
224.0.0.0	Base Address (Reserved)
224.0.0.1	All Systems on this Subnet
224.0.0.2	All Routers on this Subnet/HSRPv1 Hello
224.0.0.4	DVMRP Routers
224.0.0.5	OSPFIGP OSPFIGP All Routers
224.0.0.6	OSPFIGP OSPFIGP Designated Routers
224.0.0.9	RIP2 Routers
224.0.0.10	EIGRP Routers
224.0.0.12	DHCP Server / Relay Agent
224.0.0.13	All PIM Routers
224.0.0.14	RSVP-ENCAPSULATION
224.0.0.18	VRRP
224.0.0.22	IGMPv3 all routers
224.0.0.102	HSRPv2 Hello

Also the 224.0.1.0/24 range is reserved for some applications. These IPs can be routed by routers within subnets. This block is called the Internetwork Control Block.

Address(es)	Description
224.0.1.0	VMTP Managers Group
224.0.1.1	NTP Network Time Protocol
224.0.1.9	MTP Multicast Transport Protocol
224.0.1.21	DVMRP on MOSPF
224.0.1.24	microsoft-ds
224.0.1.32	mtrace
224.0.1.33	RSVP-encap-1
224.0.1.34	RSVP-encap-2
224.0.1.39	cisco-rp-announce
224.0.1.40	cisco-rp-discovery
224.0.1.41	gatekeeper
224.0.1.75	SIP
224.0.1.115	Simple Multicast
224.0.1.141	DHCP-SERVERS

For private networks you are allowed to use 239.0.0.0/8 for your applications.
For the other blocks and further reference please visit here.