Use the ip igmp access-group command to filter groups from Internet Group Management Protocol (IGMP) reports by use of a standard access list or to filter sources and groups from IGMPv3 reports by use of an extended access list. This command is used to restrict hosts on a subnet to joining only multicast groups that are permitted by a standard IP access list or to restrict hosts on a subnet to membership to only those (S, G) channels that are permitted by an extended IP access list.
IGMP Version 3 (IGMPv3) accommodates extended access lists, which allow you to leverage an important advantage of Source Specific Multicast (SSM) in IPv4, that of basing access on source IP address. Prior to this feature, an IGMP access list accepted only a standard access list, allowing membership reports to be filtered based only on multicast group addresses.
IGMPv3 allows multicast receivers not only to join to groups, but to groups including or excluding sources. For appropriate access control, it is therefore necessary to allow filtering of IGMPv3 messages not only by group addresses reported, but by group and source addresses. IGMP extended access lists introduce this functionality. Using SSM with an IGMP extended access list allows you to permit or deny source S and group G (S, G) in IGMPv3 reports, thereby filtering SSM traffic based on source address, group address, or both.
Source Addresses in IGMPv3 Reports for ASM Groups
Additionally, IGMP extended access lists can be used to permit or filter traffic based on (0.0.0.0, G); that is, (*, G), in IGMP reports that are non-SSM, such as Any Source Multicast (ASM).
The permit and deny statements equivalent to (*, G) are permit host 0.0.0.0 host group-address and deny host 0.0.0.0 host group group-address, respectively.
Filtering applies to IGMPv3 reports for both ASM and SSM groups, but it is most important for SSM groups because multicast routing ignores source addresses in IGMPv3 reports for ASM groups. Source addresses in IGMPv3 membership reports for ASM groups are stored in the IGMP cache (as displayed with the show ip igmp membership command), but PIM-based IP multicast routing considers only the ASM groups reported. Therefore, adding filtering for source addresses for ASM groups impacts only the IGMP cache for ASM groups.
How IGMP Checks an Extended Access List
When an IGMP extended access list is referenced in the ip igmp access-group command on an interface, the (S, G) pairs in the permit and deny statements of the extended access list are matched against the (S, G) pair of the IGMP reports received on the interface. The first part of the extended access list clause controls the source, and the second part of the extended access list clause controls the multicast group.
Specifically, if an IGMP report with (S1, S2...Sn, G) is received, first the group (0, G) is checked against the access list statements. If the group is denied, the entire IGMP report is denied. If the group is permitted, each individual (S, G) pair is checked against the access list. Denied sources are taken out of the IGMP report, thereby denying any sources that match the access list from sending to the group.
The convention (0, G) means (*, G), which is a wildcard source with a multicast group number.
The following example shows how to configure a standard access list to filter the groups that are available on an interface for receivers to join. In this example, Ethernet interface 1/3 is configured to restrict receivers from joining groups in the range 126.96.36.199 through 188.8.131.52. Receivers are permitted to join all other groups on Ethernet interface 1/3.
access-list 1 deny 184.108.40.206 0.0.255.255
access-list 1 permit any log
interface ethernet 1/3
ip igmp access-group 1
Access lists are very flexible; there is a seemingly limitless combination of permit and deny statements one could use in an access list to filter multicast traffic. The examples in this section simply provide a few examples of how it can be done.
The following example shows how to deny all states for a group G. In this example, FastEthernet interface 0/0 is configured to filter all sources for SSM group 220.127.116.11 in IGMPv3 reports, which effectively denies this group.
ip access-list extended test1
deny igmp any host 18.104.22.168
permit igmp any any
ip igmp access-group test1
The following example shows how to deny all states for a source S. In this example, Ethernet interface 1/1 is configured to filter all groups for source 10.2.1.32 in IGMPv3 reports, which effectively denies this source.
ip access-list extended test2
deny igmp host 10.2.1.32 any
permit igmp any any
ip igmp access-group test2
The following example shows how to permit all states for a group G. In this example, Ethernet interface 1/1 is configured to accept all sources for SSM group 22.214.171.124 in IGMPv3 reports, which effectively accepts this group altogether.
ip access-list extended test3
permit igmp any host 126.96.36.199
ip igmp access-group test3
The following example shows how to permit all states for a source S. In this example, Ethernet interface 1/2 is configured to accept all groups for source 10.6.23.32 in IGMPv3 reports, which effectively accepts this source altogether.
ip access-list extended test4
permit igmp host 10.6.23.32 any
ip igmp access-group test4
The following example shows how to filter a particular source S for a group G. In this example, Ethernet interface 0/3 is configured to filter source 188.8.131.52 for SSM group 184.108.40.206 in IGMPv3 reports.
ip access-list extended test5
deny igmp host 10.4.4.4 host 220.127.116.11
permit igmp any any
ip igmp access-group test5