Example 1d: Cisco Catalyst 3750 (12.1(19)EA1c) snooping IGMP v3

Just like example 1a but with a Cisco this time. Some differences to note:

The router

The router is a Cisco Catalyst 6509 with MSFC2 running native IOS 12.1(22)E. The hublet in front of the switch is connected to a Fast Ethernet port:
interface FastEthernet7/37
 description test subnet
 ip address 128.59.7.1 255.255.255.0
 ip helper-address 128.59.59.25
 ip helper-address 128.59.31.79
 no ip redirects
 no ip unreachables
 ip pim sparse-mode
 ip igmp version 3
 speed 10
 duplex half
end

The switch

The switch under test is a Cisco Catalyst 3750 running IOS 12.1(19)EA1c with IGMP snooping enabled:
Switch#sho ip igmp snooping 
Global IGMP Snooping configuration:
-----------------------------------
IGMP snooping             : Enabled
IGMPv3 snooping (minimal) : Enabled
Report suppression        : Enabled
TCN solicit query         : Disabled
TCN flood query count     : 2

Vlan 1:
--------
IGMP snooping                       : Enabled
Immediate leave                     : Disabled
Multicast router learning mode      : pim-dvmrp
Source only learning age timer      : 10
CGMP interoperability mode          : IGMP_ONLY

Vlan 950:
--------
IGMP snooping                       : Enabled
Immediate leave                     : Disabled
Multicast router learning mode      : pim-dvmrp
Source only learning age timer      : 10
CGMP interoperability mode          : IGMP_ONLY
          

The source - 128.59.39.150

I used iperf for the multicast source:
iperf -u -c 224.5.6.7 -p 8910 -T 10 -b 1 -i 5 -t 1200

The receiver - 128.59.7.10

I could have used iperf as the receiver but already had rtpqual laying around so I used it:
rtpqual 224.5.6.7 8910

Methodology

To reproduce this example:
  1. Start iperf running on sender.
  2. Start tcpdump running on each receiver and snooper.
  3. Let simmer for about 2 minutes which will allow enough time for at least one IGMP router advertisement (general query) to be received by each machine, which will provide a "sync" packet to start time in the tcpdump traces.
  4. Start receiver rtpqual running and let it run for about 2 minutes.
  5. While rtpqual is running, do a couple "show ip igmp" commands on the switch and router and oberve proper IGMP state being maintained.
  6. Stop receiver rtpqual.
  7. During the next 4 minutes, do several "show ip igmp" commands on the switch and router and observe IGMP state being torn down (or not). Wait until the router has pruned the group.
  8. Let simmar another 2 minutes so the tcpdump traces will contain a couple more router advertisements.
  9. Stop all the tcpdumps and copy the traces up to the data collection and analysis point along with console logs from the switch and router.
N.B. I didn't quite get this right in the traces below so sync points were not properly established:

The traces

I ran tcpdump on all four hosts as shown in the following example for one of the hosts:
tcpdump -s 1500 -w 12.tcpdump igmp or dst 224.5.6.7 &
This captures IGMP protocol messages and the (relatively low data rate) multicast data for the group of interest. Raw tcpdump traces are here:

host 10
host 11
host 12
host 13
switch
router

Following are summaries of the traces and switch and router IGMP CLI output merged in chronological order:
Initial state. IGMP general queries going out once a minute
host 13
No.     Time        Source                Destination           Protocol Info
      4 181.604578  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
host 10
No.     Time        Source                Destination           Protocol Info
      4 181.579373  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
host 11 & 12
No.     Time        Source                Destination           Protocol Info
      4 181.604992  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
switch
Switch#sho ip igmp snooping multicast group 224.5.6.7
Vlan      Group Address  Type        Version         Port List
----      -------------  ----        -------         ---------
router
wat-edge-1#sho ip igmp groups fa7/37
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter
Host 10 joins group. Exclude mode membership report is sent up to switch and passed through unmodified to router, but is supressed out other switch ports (so hosts 11 and 12 don't hear it).
host 10
No.     Time        Source                Destination           Protocol Info
      5 197.195656  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 5 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf3f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Change To Exclude Mode
host 13
No.     Time        Source                Destination           Protocol Info
      5 197.222266  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf3f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Change To Exclude Mode
host 11 & 12 nothing
Data starts to flow. Host 13 sees it come down from router which passes through to host 10 only, as it should.
host 13
No.     Time        Source                Destination           Protocol Info
      6 198.073607  128.59.39.150         224.5.6.7             UDP      Source port: 32915  Destination port: 8910

Frame 6 (1512 bytes on wire, 1500 bytes captured)
Ethernet II, Src: 00:08:7c:d0:08:40, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.39.150 (128.59.39.150), Dst Addr: 224.5.6.7 (224.5.6.7)
User Datagram Protocol, Src Port: 32915 (32915), Dst Port: 8910 (8910)
Data (1458 bytes)
host 10
No.     Time        Source                Destination           Protocol Info
      6 198.048256  128.59.39.150         224.5.6.7             UDP      Source port: 32915  Destination port: 8910

Frame 6 (1512 bytes on wire, 1500 bytes captured)
Ethernet II, Src: 00:08:7c:d0:08:40, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.39.150 (128.59.39.150), Dst Addr: 224.5.6.7 (224.5.6.7)
User Datagram Protocol, Src Port: 32915 (32915), Dst Port: 8910 (8910)
Data (1458 bytes)
host 11 nothing
host 12 nothing
Data keeps flowing for about 44 seconds and the router sends out a once-a-minute general membership query which is flooded out all switch ports.
host 13
No.     Time        Source                Destination           Protocol Info
     51 242.181373  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 51 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
host 10
No.     Time        Source                Destination           Protocol Info
     51 242.155870  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 51 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0

host 11 & 12
No.     Time        Source                Destination           Protocol Info
      5 242.181842  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
Data keeps flowing and a random time within the 10 seconds specified in the query, host 10 responds with a membership report. The router receives this and it is not flooded out to hosts 11 or 12.
host 10
No.     Time        Source                Destination           Protocol Info
     52 242.204738  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 52 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf5f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Mode Is Exclude
host 13
No.     Time        Source                Destination           Protocol Info
     52 242.231099  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 52 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf5f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Mode Is Exclude
host 11 nothing
host 12 nothing
switch
Switch#sho ip igmp snooping multicast group 224.5.6.7
Vlan      Group Address  Type        Version         Port List
----      -------------  ----        -------         ---------
950       224.5.6.7      IGMP        v3              Fa1/0/1, Fa1/0/3
router
wat-edge-1#sho ip igmp groups fa7/37
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter
224.5.6.7        FastEthernet7/37         00:01:31  00:02:13  128.59.7.10
About 50 seconds later, Host 10 leaves group, sends a leave (change to include mode), which is passed up to the router by the switch. Traffic keeps flowing, for now.
host 10
No.     Time        Source                Destination           Protocol Info
    103 292.292169  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 103 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf4f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Change To Include Mode
host 13
No.     Time        Source                Destination           Protocol Info
    103 292.318827  128.59.7.10           224.0.0.22            IGMP     V3 Membership Report

Frame 103 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:00:86:51:bd:b2, Dst: 01:00:5e:00:00:16
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.22 (224.0.0.22)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Report (0x22)
    Header checksum: 0xf4f1 (correct)
    Num Group Records: 1
    Group Record : 224.5.6.7  Change To Include Mode
host 11 & 12 nothing
In response to the leave, the router sends a group-specific query with a 1 second maximum response time. Data is still flowing at this point. Note that the switch spoofs this query (see the source MAC address on host 10) and increases the max response time to 5 seconds and toggles the suppress router-side processing flag. None of this activity is seen by the non-participant hosts.
host 13
No.     Time        Source                Destination           Protocol Info
    104 292.319421  128.59.7.1            224.5.6.7             IGMP     V3 Membership Query

Frame 104 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.5.6.7 (224.5.6.7)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 1.0 sec (0x0a)
    Header checksum: 0x06ad (correct)
    Multicast Address: 224.5.6.7 (224.5.6.7)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
host 10
No.     Time        Source                Destination           Protocol Info
    104 292.292502  128.59.7.1            224.5.6.7             IGMP     V3 Membership Query

Frame 104 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0f:8f:c7:27:85, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.5.6.7 (224.5.6.7)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 5.0 sec (0x32)
    Header checksum: 0xfe84 (correct)
    Multicast Address: 224.5.6.7 (224.5.6.7)
    QRV=2 S=SUPRESS router side processing
    QQIC: 60
    Num Src: 0
host 11 & 12 nothing
Host 10 remains silent in response to the group-specific membership query. A second group-specific membership query is sent by the router and suppressed by the switch. Data continues to flow for another second or two and then stops. Other hosts hear nothing.
host 10
No.     Time        Source                Destination           Protocol Info
    106 294.048102  128.59.39.150         224.5.6.7             UDP      Source port: 32915  Destination port: 8910

Frame 106 (1512 bytes on wire, 1500 bytes captured)
Ethernet II, Src: 00:08:7c:d0:08:40, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.39.150 (128.59.39.150), Dst Addr: 224.5.6.7 (224.5.6.7)
User Datagram Protocol, Src Port: 32915 (32915), Dst Port: 8910 (8910)
Data (1458 bytes)
host 13
No.     Time        Source                Destination           Protocol Info
    106 293.566585  128.59.7.1            224.5.6.7             IGMP     V3 Membership Query

Frame 106 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.5.6.7 (224.5.6.7)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 1.0 sec (0x0a)
    Header checksum: 0x06ad (correct)
    Multicast Address: 224.5.6.7 (224.5.6.7)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0

No.     Time        Source                Destination           Protocol Info
    107 294.073897  128.59.39.150         224.5.6.7             UDP      Source port: 32915  Destination port: 8910

Frame 107 (1512 bytes on wire, 1500 bytes captured)
Ethernet II, Src: 00:08:7c:d0:08:40, Dst: 01:00:5e:05:06:07
Internet Protocol, Src Addr: 128.59.39.150 (128.59.39.150), Dst Addr: 224.5.6.7 (224.5.6.7)
User Datagram Protocol, Src Port: 32915 (32915), Dst Port: 8910 (8910)
Data (1458 bytes)
5 seconds elapse and the switch spoofs an unsolicited IGMP v2 leave group from the host toward the router! Nothing is sent to the hosts. The router and switch show the state is torn down. Hey, we're speaking v3 here, what gives?
host 13
No.     Time        Source                Destination           Protocol Info
    108 297.325604  128.59.7.10           224.0.0.2             IGMP     V2 Leave Group

Frame 108 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0f:8f:c7:27:83, Dst: 01:00:5e:00:00:02
Internet Protocol, Src Addr: 128.59.7.10 (128.59.7.10), Dst Addr: 224.0.0.2 (224.0.0.2)
Internet Group Management Protocol
    IGMP Version: 2
    Type: Leave Group (0x17)
    Max Response Time: 0.0 sec (0x00)
    Header checksum: 0x02f3 (correct)
    Multicast Address: 224.5.6.7 (224.5.6.7)
host 10 nothing
host 11 & 12 nothing
switch
Switch#sho ip igmp snooping multicast group 224.5.6.7
Vlan      Group Address  Type        Version         Port List
----      -------------  ----        -------         ---------
router
wat-edge-1#sho ip igmp groups fa7/37
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter
Final state is reached, with the only traffic being the once-a-minute general queries from the router.
host 13
No.     Time        Source                Destination           Protocol Info
    109 302.574419  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 109 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0
host 10, 11, 12
No.     Time        Source                Destination           Protocol Info
    107 302.548639  128.59.7.1            224.0.0.1             IGMP     V3 Membership Query

Frame 107 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:d0:03:66:80:0a, Dst: 01:00:5e:00:00:01
Internet Protocol, Src Addr: 128.59.7.1 (128.59.7.1), Dst Addr: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 3
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xec5f (correct)
    Multicast Address: 0.0.0.0 (0.0.0.0)
    QRV=2 S=Do not supress router side processing
    QQIC: 60
    Num Src: 0