Friday, 6 March 2015

Nexus management port not sending IGMP Membership Reports

OK - I've spent a day getting annoyed by this!  I was trying to get two Nexus 56128Ps (running NX-OS 7.0(3)) across their management interfaces with CFS to synchronise configuration with switch-profiles.

I had the Mgmt0 interfaces connected to a Cisco 2960 as access ports, with no other connections in that VLAN and everything worked fine.

However, when I tried to connect an uplink from the 2960 to our main network (on a test VLAN) synchronisation broke with show switch-profile status reporting that the Peer is unreachable.  Disconnecting the cable fixed the problem again, immediately.

The problem

After a lot of mucking about, this turned out to be an IGMP issue - the Management0 port on the Nexus switches advertise their presence to each other using multicast messages to a group (239.255.70.83).  However, they weren't sending IGMP Membership Report messages to indicate they themselves want to join the group, preventing the the announcements from reaching each other.

When the switch was not connected to the rest of the network, there was no IGMP Querier, so the switch resorted to flooding multicast traffic.  However, when connected to the main network, the IGMP Membership Query messages from the router started reaching the 2960 and it started to limit flooding.

Pulling the uplink cable from the 2960 immediately aged out the Querier and flood recommenced.  However, if the VLAN was severed in a way not known to the 2960 (e.g. removing the VLAN from the upstream switch), the Querier would take 3 minutes to expire (as expected) before things began to work again.

After some poking about, fiddling around with the configuration of the router, it appears that IGMPv2 is supported by the management interface but IGMPv3 (which is our default) is not.

The fix

Fixing this could be solved in one of three ways:
  • Disabling multicast routing on the VLAN,
  • Changing the IGMP version to 2 (instead of 3), if this has been raised, or
  • Disabling IGMP Snooping on the switches on the management VLAN (e.g. no ip igmp snooping vlan XXX)
I can't find mention of this in the Cisco documentation, nor a way of changing the IGMP version on the Nexus 56128Ps.