IGMP Filter

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. What if we want to restrict this?

It is possible to filter certain multicast groups. We can configure IGMP filtering on a multicast router or on a switch where IGMP snooping is enabled. In this lesson, I’ll show you how to do both.

We will use the following topology for this:

IGMP Filter Topology

R1 will be our multicast router, SW1 has IGMP snooping enabled and H1 is a multicast receiver.


First, let’s enable PIM on R1 so that it processes IGMP traffic:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip pim sparse-mode 

And let’s enable a debug so we can see IGMP filtering in action:

R1#debug ip igmp 
IGMP debugging is on

Right now there are no filters. Let’s configure H1 to join a multicast group so that we can see what the debug normally looks like:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group

Here’s what we get:

IGMP(0): Received v2 Report on FastEthernet0/0 from for
IGMP(0): Received Group record for group, mode 2 from for 0 sources
IGMP(0): WAVL Insert group: interface: FastEthernet0/0Successful

R1 receives the membership report for and installs it. We can verify this with the show ip igmp groups command:

R1#show ip igmp groups 
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter   Group Accounted        FastEthernet0/0          00:00:43  00:02:45

So far so good…time to filter something!

Router IGMP Filter

Let’s configure our router to filter multicast group We’ll need to create an access-list for this:

R1(config)#ip access-list standard LIMIT_IGMP
R1(config-std-nacl)#deny host

The access-list above will deny and permit any other multicast groups. Let’s enable it with the ip igmp access-group command:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip igmp access-group LIMIT_IGMP

Now let’s see what happens when our receiver joins

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group

Here’s what the router will tell us:

IGMP(0): Received v2 Report on FastEthernet0/0 from for
IGMP(*): Group access denied on FastEthernet0/0

As expected, the multicast group is denied. You can also see these matches in the access-list:

R1#show access-lists 
Standard IP access list LIMIT_IGMP
    10 deny (1 match)
    20 permit, wildcard bits (1 match)

That’s all there is to it.

Switch IGMP Snooping Filter

Let’s see how we can create a filter on the switch. We need to create an IGMP profile for this:

SW1(config)#ip igmp profile 1

The profile above lets us block multicast group Let’s activate it:

SW1(config)#interface FastEthernet 0/2
SW1(config-if)#ip igmp filter 1 

The ip igmp filter command is what we need to activate the IGMP profile. You can activate this on a port, SVI or VLAN.

Let’s see if it works. We’ll enable a debug on the switch:

SW1#debug ip igmp filter
IGMP debugging is on

Let’s join multicast group

H1(config)#interface FastEthernet 0/0  
H1(config-if)#ip igmp join-group

Here’s what the switch will tell us:

IGMPFILTER: igmp_filter_process_pkt(): checking group from Fa0/2: deny
IGMPFILTER: igmp_filter_process_pkt(): checking group from Fa0/2: permit

Multicast group is denied, you can see that is still accepted.


Want to take a look for yourself? Here you will find the final configuration of each device.


hostname H1
interface GigabitEthernet0/1
 ip address
 ip igmp join-group
 ip igmp join-group
 ip igmp join-group


hostname R1
interface GigabitEthernet0/1
 ip address
 ip pim sparse-mode
 ip igmp access-group LIMIT_IGMP
ip access-list standard LIMIT_IGMP


hostname SW1
ip igmp profile 1
interface FastEthernet0/1
interface FastEthernet0/2
 ip igmp filter 1


IGMP can be filtered on switch or router.


Forum Replies

  1. What would be the utility of this in real life?

  2. Hi Laz,

    Thank you for your response, and clear explanation. I wait for Rene’s confirmation.

    Thanks much,

    Joe Boisseau

  3. Hi Rene,

    Outstanding, your attention to detail and accuracy is what separates your training from others. I’ve noticed how you’ve taken various networking technologies, and explained how they work in a clear and simple matter, which has made it easy to learn, recall and explain to others. Thank you for your insight.

    Joe B.

  4. Hello Eyad

    This Cisco documentation states the following:

    You can apply IGMP profiles to Layer 2 ports only. You cannot apply IGMP profiles to routed ports (or SVIs) or to ports that belong to an EtherChannel port group.

    The 4500, although a Layer 3 switch, does not support the application of an IGMP filter on a Layer 3 interface.

    I hope this has been helpful!


19 more replies! Ask a question or join the discussion by visiting our Community Forum