Controlling IGMP traffic in extended ACLs

This option is useful where it is necessary to permit some types of IGMP traffic and deny other types instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.


{<permit | deny>} igmp SA DA [igmp-type]

In an extended ACL using igmp as the packet protocol type, you can optionally specify an individual IGMP packet type to further define the criteria for a match. This option, if used, is entered immediately after the destination addressing entry. The following example shows an IGMP ACE entered in the Named ACL context:

switch(config-ext-nacl)# permit igmp any any host-query


The complete list of IGMP packet-type options includes:





For more information on IGMP packet types, visit the Internet Assigned Numbers Authority (IANA) website at; select "Protocol Number Assignment Services", and then go to the selections under "Internet Group Management Protocol (IGMP) Type Numbers".


Suppose that you want to implement these policies on a switch configured for IPv4 routing and membership in VLANs 10, 20, and 30:

  1. Permit Telnet traffic from to, deny all other IPv4 traffic from network (VLAN 10) to (VLAN 20), and permit all other IPv4 traffic from any source to any destination. (See "A" in An extended ACL, below.)
  2. Permit FTP traffic from (on VLAN 20) to (on VLAN 30). Deny FTP traffic from other hosts on network to any destination, but permit all other IPv4 traffic.

An extended ACL
Configuration commands for extended ACLs