Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
3
Helpful
6
Replies

UPnP on single vlan across layer 2 network

wherewolf
Level 1
Level 1

‎09-23-2025 01:42 PM - edited ‎09-23-2025 01:55 PM

I'm trying to allow UPnP  ( I know - bad, don't do it, unsafe blah blah) on a single vlan dedicated to gaming.  I've got a pfsense firewall with upnp enabled handling all traffic for this vlan to the internet.  

access switch (VLAN122) -> Core Switch (VLAN122)-> PfSense inside (VLAN 122) ->  PFsense Outside (DMZ)->  Edge Router 

I'm not able to see the Pfsense UPNP capability,  pings and traceroutes work fine.  I run the miniupnp utility "upnpc" with the -s switch (from a clientPC) and get "No IGD Device Found on the network!"

There isn't alot of info out there in the Cisco world relating to this,  but it's my understanding that i do not need Multicasting or Pim because the use is within a single layer 2 boundary (VLAN 122).

Does anyone have any insight on this?   

Labels:
0 Helpful
6 Replies 6

Torbjørn
VIP
VIP

‎09-24-2025 03:12 AM

You might have to configure/disable igmp snooping. Which switches are you using?

If you wish to just disable it you can do so with this command in configuration mode: "no ip igmp snooping"

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

wherewolf
Level 1
Level 1
In response to Torbjørn

‎09-24-2025 05:38 AM

Thanks for the help!

The core switch is a 6807-XL and the access layer are primarily 3650's.   Since igmp snooping is on by default, is it possible to disable it per vlan?  or is it a global command?   I assume it's on by default for a reason.  However, we are not using any multicasting in this environment. 

 

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to wherewolf

‎09-24-2025 05:55 AM

Hello @wherewolf ,

yes you can disable igmp snooping on a specific vlan in your case vlan 122.

using:

conf t

no igmp snooping vlan 122

 

Hope to help

Giuseppe

 

wherewolf
Level 1
Level 1
In response to Giuseppe Larosa

‎09-24-2025 06:26 AM

On my core switch (C6807-XL  Version 15.5(1)SY13 ) that command doesn't work. 

I also tried it on the VLAN config, doesn't seem to work there either....

 

0 Helpful

wherewolf
Level 1
Level 1
In response to wherewolf

‎09-29-2025 11:34 AM

As it turns out, the commands aren't well documented in the software -  it needs to happen under the vlan config  - I was trying:

CORE6KSW01(config)#int vlan 122
CORE6KSW01(config-if)#no ip igmp sn
CORE6KSW01(config-if)#no ip igmp ?
   access-group IGMP group access group
   explicit-tracking Enable/Disable IGMP explicit-tracking
   helper-address IGMP helper address
   immediate-leave Leave groups immediately without sending last
   member query, use for one host network only
   join-group IGMP join multicast group
   last-member-query-count IGMP last member query count
   last-member-query-interval IGMP last member query interval
   limit IGMP limit 
   mroute-proxy Mroute to IGMP proxy
   proxy-service Enable IGMP mroute proxy service
   querier-timeout IGMP previous querier timeout
   query-interval IGMP host query interval
   query-max-response-time IGMP max query response value
   static-group IGMP static multicast group
   tcn IGMP TCN configuration
   unidirectional-link IGMP unidirectional link multicast routing
   v3-query-max-response-time IGMP v3 max query response value
   v3lite Enable/disable IGMPv3 Lite
   version IGMP version

See? no "snooping"  so I was confused -

as it turns out, it did take the "no ip igmp snooping" ->enter

 

wherewolf
Level 1
Level 1
In response to wherewolf

‎09-29-2025 07:42 PM - edited ‎09-29-2025 07:44 PM

So - to wrap up this thread for anyone searching for a similar situation.....

I have a basic Layer 2 network with a 6807-XL core, and 3650 access switches that are dual homed to the core.

Cisco Firepower sits in the middle of all vrf/vlans providing routing between vlans, datacenter,  and routing to the internet edge.  Edge routers provide connectivity to and from the internet.

I'm not running multicast (don't really have any applications that require it currently)

I've added a pfsense firewall to provide routing to the internet from a single, specific vlan for gaming purposes (college campus)

and have enabled UPNP on that firewall to allow games to create their holes in the firewall for this vlan only.   I could not get UPnP to work because of igmp snooping being enabled by default on the vlan.   I was able to disable this by using :

config t

int vlan xxx

no ip igmp snooping (this command doesn't show in the available options when you hit ?)

end

 

This leaves it on other vlans by default, and globally enable by default.  

 

 

 

0 Helpful
Customers Also Viewed These Support Documents