IGMP Filter

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. What if we want to restrict this?

It is possible to filter certain multicast groups. We can configure IGMP filtering on a multicast router or on a switch where IGMP snooping is enabled. In this lesson, I’ll show you how to do both.

We will use the following topology for this:

IGMP Filter Topology

R1 will be our multicast router, SW1 has IGMP snooping enabled and H1 is a multicast receiver.

Configuration

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. What if we want to restrict this? It is possible to filter certain multicast groups. We can configure IGMP filtering on a multicast rout


First, let’s enable PIM on R1 so that it processes IGMP traffic:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip pim sparse-mode 

And let’s enable a debug so we can see IGMP filtering in action:

R1#debug ip igmp 
IGMP debugging is on

Right now there are no filters. Let’s configure H1 to join a multicast group so that we can see what the debug normally looks like:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group 239.1.1.1

Here’s what we get:

R1#
IGMP(0): Received v2 Report on FastEthernet0/0 from 192.168.1.1 for 239.1.1.1
IGMP(0): Received Group record for group 239.1.1.1, mode 2 from 192.168.1.1 for 0 sources
IGMP(0): WAVL Insert group: 239.1.1.1 interface: FastEthernet0/0Successful

R1 receives the membership report for 239.1.1.1 and installs it. We can verify this with the show ip igmp groups command:

R1#show ip igmp groups 
IGMP Connected Group Membership
Group Address    Interface                Uptime    Expires   Last Reporter   Group Accounted
239.1.1.1        FastEthernet0/0          00:00:43  00:02:45  192.168.1.1

So far so good…time to filter something!

Router IGMP Filter

Let’s configure our router to filter multicast group 239.2.2.2. We’ll need to create an access-list for this:

R1(config)#ip access-list standard LIMIT_IGMP
R1(config-std-nacl)#deny host 239.2.2.2
R1(config-std-nacl)#permit 224.0.0.0 15.255.255.255  

The access-list above will deny 239.2.2.2 and permit any other multicast groups. Let’s enable it with the ip igmp access-group command:

R1(config)#interface FastEthernet 0/0
R1(config-if)#ip igmp access-group LIMIT_IGMP

Now let’s see what happens when our receiver joins 239.2.2.2:

H1(config)#interface FastEthernet 0/0
H1(config-if)#ip igmp join-group 239.2.2.2

Here’s what the router will tell us:

R1#
IGMP(0): Received v2 Report on FastEthernet0/0 from 192.168.1.1 for 239.2.2.2
IGMP(*): Group 239.2.2.2 access denied on FastEthernet0/0

As expected, the multicast group is denied. You can also see these matches in the access-list:

R1#show access-lists 
Standard IP access list LIMIT_IGMP
    10 deny   239.2.2.2 (2 matches)
    20 permit 224.0.0.0, wildcard bits 15.255.255.255 (2 matches)

That’s all there is to it.

Switch IGMP Snooping Filter

Let’s see how we can create a filter on the switch. We need to create an IGMP profile for this:

SW1(config)#ip igmp profile 1
SW1(config-igmp-profile)#deny
SW1(config-igmp-profile)#range 239.3.3.3

The profile above lets us block multicast group 239.3.3.3. Let’s activate it:

SW1(config)#interface FastEthernet 0/2
SW1(config-if)#ip igmp filter 1 

The ip igmp filter command is what we need to activate the IGMP profile. You can activate this on a port, SVI or VLAN.

Let’s see if it works. We’ll enable a debug on the switch:

SW1#
SW1#debug ip igmp filter
IGMP debugging is on

Let’s join multicast group 239.3.3.3:

H1(config)#interface FastEthernet 0/0  
H1(config-if)#ip igmp join-group 239.3.3.3

Here’s what the switch will tell us:

SW1#
IGMPFILTER: igmp_filter_process_pkt(): checking group 239.3.3.3 from Fa0/2: deny
IGMPFILTER: igmp_filter_process_pkt(): checking group 239.2.2.2 from Fa0/2: permit

Multicast group 239.3.3.3 is denied, you can see that 239.2.2.2 is still accepted.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

H1

hostname H1
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip igmp join-group 239.1.1.1
 ip igmp join-group 239.2.2.2
 ip igmp join-group 239.3.3.3
!
end

R1

hostname R1
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip pim sparse-mode
 ip igmp access-group LIMIT_IGMP
!
ip access-list standard LIMIT_IGMP
 deny   239.2.2.2
 permit 239.0.0.0 0.255.255.255
!
end

SW1

hostname SW1
!
ip igmp profile 1
    range 239.3.3.3 239.3.3.3
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 ip igmp filter 1
!
end

Conclusion

IGMP can be filtered on switch or router.

Tags:


Forum Replies

  1. What would be the utility of this in real life?

  2. Hello Rene

    I have a simple question about this topic. About Router filter, its only when you want to block from this net to another upstream router, cause i can see if source and destination is in the same net (this example) they can forward traffic normaly or in some way router gives this information to switch to not consider this blocked multicast group. Thnkas for your asnwer.

    Jose

  3. Hello Jose

    The IGMP filter function can be configured on both a router and a switch. When configured on a router, then yes, only multicast traffic between subnets are filtered. If you want to filter within the same subnet, then switches that have IGMP Snooping Filter capability can filter multicast traffic at ports, VLANs or SVIs.

    There is no communication between the router and the switch for such configurations. Each device is configured independently.

    I hope this has been helpful!

    Laz

  4. According to Official Cert Guide, you can also filter IGMPv1 messages via the filter. How do you do this?

4 more replies! Ask a question or join the discussion by visiting our Community Forum