Illumio Products

Little Known Features of Illumio ASP – Broadcast and Multicast Filters


Have you ever tried to find a golf ball in a bush, a ring at a beach, or something similar? If you have, you know how hard that can be. It takes time, requires lots of concentration, and the processes can be arduous.

Illumio’s Adaptive Security Platform (ASP) provides a real-time application dependency map, known as Illumination. The map draws a traffic line for every flow between any two workloads. These lines help users easily identify communications and quickly access details about the traffic between them.

Although this visibility helps users build policies, the map can be noisy with many traffic lines, particularly when broadcast and multicast traffic is present. That line density can make traffic identification difficult – like finding a golf ball in a bush.

Broadcast and multicast traffic can lower your application visibility

Today, enterprises rely on many connected applications and services to run their business. Some applications and services talk to one another through something known as a unicast, which sends traffic to only one peer at a time. Alternatively, others leverage broadcast and/or multicast to operate. Regardless of whether the traffic is unicast, broadcast, or multicast, Illumination visualizes traffic lines on its maps. This give users great traffic visibility in their environment.

That said, as mentioned above, the maps can become unnecessarily overcrowded with the presence of broadcast and multicast.

When a workload sends out broadcast traffic, all workloads in the broadcast domain receive it and report it to Illumio ASP. As a result, each received workload has traffic lines connecting workload activity. The total number of links depends on the size of a subnet. For example, in a fully populated /24 IP subnet, broadcast traffic from one workload can generate 253 traffic links.

Below are two views of Illumination. The first shows the map with only unicast traffic flows, and the second shows the map with unicast, broadcast, and multicast.

Figure 1 – An Illumination map with only unicast traffic lines

Figure 2 – An Illumination map with unicast, broadcast, and multicast traffic lines

Comparing the two maps, it is obvious that the second is much more crowded than the first, due to the visualization of broadcast and multicast traffic.

Imagine you are going to write policies to cover your applications that have nothing to do with the broadcast or multicast traffic. You would need to go through each of the links carefully, select the ones for your application, and ignore those broadcast and/or multicast traffic lines. What you need is a way to quickly filter out the broadcast and/or multicast traffic so you can visualize your data flow more easily.

But what if I don’t have broadcast or multicast applications?

This is a trick question. You may think you do not run any services using broadcast or multicast, and thus, you don’t face this overcrowding challenge. In fact, you may be surprised to find out that some services that come as part of server OS rely on broadcast and/or multicast traffic to operate – and enable this traffic by default. An example of this is Windows NetBIOS name services. This has been around for a long time, and many enterprise applications operate on a Windows OS. Those broadcast traffic links may reveal themselves in an application dependency map, therefore muddling the clarity of the map insights.

The simple, little known features: Broadcast and multicast features

To avoid your application visibility being clouded by broadcast and multicast traffic, Illumination provides broadcast and multicast map filters. Users can simply click on them to exclude or include broadcast/multicast traffic from their map. This improves visibility and usability, allows users to easily build policies, and saves time.

To access the filters, referring to the figure below, you can click on the Filter menu in the maps. From the drop-down, you can see the Broadcast and Multicast filter options. When they are checked, broadcast and multicast traffic is shown in the map. To hide them, simply unchecked those options. It’s that simple.


Finding a golf ball in a bush is hard. Finding the right traffic for your application does not have to be hard.

If you have broadcast and/or multicast in your environment that overcrowds your Illumination maps, try out these simple but powerful broadcast and multicast filters. It makes allocating your application flows easier, allowing you to uncover meaningful insights and write policies faster.

For more information about Illumio ASP and how it works, visit: https://www.illumio.com/products/adaptive-security-platform

Related topics

No items found.

Related articles

Better Endpoint Protection with CrowdStrike and Illumio Edge
Illumio Products

Better Endpoint Protection with CrowdStrike and Illumio Edge

Illumio Edge, our Zero Trust endpoint solution, is now available via Illumio, as well as in the CrowdStrike Store, activated via the CrowdStrike Falcon agent.

Integrating Visibility and Rule Creation for Efficient Workload Security
Illumio Products

Integrating Visibility and Rule Creation for Efficient Workload Security

Workload security has two broad requirements: visibility and enforcement.

Illumio is in Las Vegas for Black Hat 2022
Illumio Products

Illumio is in Las Vegas for Black Hat 2022

Stop by Booth #984 or access the Virtual Platform to see Illumio at Black Hat 2022.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?