IGMP Filter

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. What if we want to restrict this?

It is possible to filter certain multicast groups. We can configure IGMP filtering on a multicast router or on a switch where IGMP snooping is enabled. In this lesson, I’ll show you how to do both.

We will use the following topology for this:

IGMP Filter Topology

R1 will be our multicast router, SW1 has IGMP snooping enabled and H1 is a multicast receiver.


First, let’s enable PIM on R1 so that it processes IGMP traffic:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip pim sparse-mode 

And let’s enable a debug so we can see IGMP filtering in action:

R1#debug ip igmp 
IGMP debugging is on

Right now there are no filters. Let’s configure H1 to join a multicast group so that we can see what the debug normally looks like:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group

Here’s what we get:

IGMP(0): Received v2 Report on FastEthernet0/0 from for
IGMP(0): Received Group record for group, mode 2 from for 0 sources
IGMP(0): WAVL Insert group: interface: FastEthernet0/0Successful

R1 receives the membership report for and installs it. We can verify this with the show ip igmp groups command:

R1#show ip igmp groups 
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter   Group Accounted        FastEthernet0/0          00:00:43  00:02:45

So far so good…time to filter something!

Router IGMP Filter

Let’s configure our router to filter multicast group We’ll need to create an access-list for this:

R1(config)#ip access-list standard LIMIT_IGMP
R1(config-std-nacl)#deny host

The access-list above will deny and permit any other multicast groups. Let’s enable it with the ip igmp access-group command:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip igmp access-group LIMIT_IGMP

Now let’s see what happens when our receiver joins

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group

Here’s what the router will tell us:

IGMP(0): Received v2 Report on FastEthernet0/0 from for
IGMP(*): Group access denied on FastEthernet0/0

As expected, the multicast group is denied. You can also see these matches in the access-list:

R1#show access-lists 
Standard IP access list LIMIT_IGMP
    10 deny (1 match)
    20 permit, wildcard bits (1 match)

That’s all there is to it.

Switch IGMP Snooping Filter

Let’s see how we can create a filter on the switch. We need to create an IGMP profile for this:

SW1(config)#ip igmp profile 1

The profile above lets us block multicast group Let’s activate it:

SW1(config)#interface FastEthernet 0/2
SW1(config-if)#ip igmp filter 1 

The ip igmp filter command is what we need to activate the IGMP profile. You can activate this on a port, SVI or VLAN.

Let’s see if it works. We’ll enable a debug on the switch:

SW1#debug ip igmp filter
IGMP debugging is on

Let’s join multicast group

H1(config)#interface FastEthernet 0/0  
H1(config-if)#ip igmp join-group

Here’s what the switch will tell us:

IGMPFILTER: igmp_filter_process_pkt(): checking group from Fa0/2: deny
IGMPFILTER: igmp_filter_process_pkt(): checking group from Fa0/2: permit

Multicast group is denied, you can see that is still accepted.


Want to take a look for yourself? Here you will find the final configuration of each device.


hostname H1
interface GigabitEthernet0/1
 ip address
 ip igmp join-group
 ip igmp join-group
 ip igmp join-group


hostname R1
interface GigabitEthernet0/1
 ip address
 ip pim sparse-mode
 ip igmp access-group LIMIT_IGMP
ip access-list standard LIMIT_IGMP


hostname SW1
ip igmp profile 1
interface FastEthernet0/1
interface FastEthernet0/2
 ip igmp filter 1


IGMP can be filtered on switch or router.


Forum Replies

  1. What would be the utility of this in real life?

  2. Hello Stefanio

    There are several reasons why we would want to filter IGMP packets. The most basic and important reason is to allow for a network to function more efficiently. The details follow:

    IGMP filtering allows users to configure filters on a switch virtual interface (SVI), a per-port, or a per-port per-VLAN basis to control the propagation of IGMP traffic through the network. By managing the IGMP traffic, IGMP filtering provides the capability to manage IGMP snooping, which in turn controls the forwarding of multicast traffic.

    When an IGMP packet is re

    ... Continue reading in our forum

  3. Hello Rene

    I have a simple question about this topic. About Router filter, its only when you want to block from this net to another upstream router, cause i can see if source and destination is in the same net (this example) they can forward traffic normaly or in some way router gives this information to switch to not consider this blocked multicast group. Thnkas for your asnwer.


  4. Hello Jose

    The IGMP filter function can be configured on both a router and a switch. When configured on a router, then yes, only multicast traffic between subnets are filtered. If you want to filter within the same subnet, then switches that have IGMP Snooping Filter capability can filter multicast traffic at ports, VLANs or SVIs.

    There is no communication between the router and the switch for such configurations. Each device is configured independently.

    I hope this has been helpful!


26 more replies! Ask a question or join the discussion by visiting our Community Forum