IGMP - filtering using ACLs

In a Multicast topology, it is possible to perform IGMP filtering.

Multicast IGMP membership report messages include the multicast group addresses that our receivers want to join. By default, all multicast groups will be accepted. It is possible to filter certain multicast groups by configuring IGMP filtering on a multicast router or on a switch where IGMP snooping is enabled.

This can be achieved using either standard or extended access lists. However, there are some peculiarities that must be taken into account when implementing IGMP filtering.

As it is defined, a standard access list will match the source IPv4 (or IPv6) address. However, this is the case only when you apply the ACL on an interface. When applied to IGMP filtering, you are using the ip igmp access-group command like so:

R1(config)#ip access-list standard LIMIT_IGMP R1(config-std-nacl)#deny host R1(config)#interface FastEthernet 0/0 R1(config-if)#ip igmp access-group LIMIT_IGMP

to reference the ACL to match a particular multicast IP address. In this case, the multicast group will be matched. So in this scenario there is really no concept of source or destination address. It simply restricts a host from joining the multicast group indicated in the ACL.

Now, when using extended ACLs, the command is used to restrict receiver hosts on a subnet to membership to only the (S,G) channels that are permitted by an extended IP access list.

Note that only IGMPv3 accommodates the extended access lists which allow you to leverage source-specific multicast (SSM). In the extended access list, you can indicate the source of the multicast traffic as an additional parameter.