Illumio Products

Little Known Features of Illumio ASP – Broadcast and Multicast Filters


Have you ever tried to find a golf ball in a bush, a ring at a beach, or something similar? If you have, you know how hard that can be. It takes time, requires lots of concentration, and the processes can be arduous.

Illumio’s Adaptive Security Platform (ASP) provides a real-time application dependency map, known as Illumination. The map draws a traffic line for every flow between any two workloads. These lines help users easily identify communications and quickly access details about the traffic between them.

Although this visibility helps users build policies, the map can be noisy with many traffic lines, particularly when broadcast and multicast traffic is present. That line density can make traffic identification difficult – like finding a golf ball in a bush.

Broadcast and multicast traffic can lower your application visibility

Today, enterprises rely on many connected applications and services to run their business. Some applications and services talk to one another through something known as a unicast, which sends traffic to only one peer at a time. Alternatively, others leverage broadcast and/or multicast to operate. Regardless of whether the traffic is unicast, broadcast, or multicast, Illumination visualizes traffic lines on its maps. This give users great traffic visibility in their environment.

That said, as mentioned above, the maps can become unnecessarily overcrowded with the presence of broadcast and multicast.

When a workload sends out broadcast traffic, all workloads in the broadcast domain receive it and report it to Illumio ASP. As a result, each received workload has traffic lines connecting workload activity. The total number of links depends on the size of a subnet. For example, in a fully populated /24 IP subnet, broadcast traffic from one workload can generate 253 traffic links.

Below are two views of Illumination. The first shows the map with only unicast traffic flows, and the second shows the map with unicast, broadcast, and multicast.

Figure 1 – An Illumination map with only unicast traffic lines

Figure 2 – An Illumination map with unicast, broadcast, and multicast traffic lines

Comparing the two maps, it is obvious that the second is much more crowded than the first, due to the visualization of broadcast and multicast traffic.

Imagine you are going to write policies to cover your applications that have nothing to do with the broadcast or multicast traffic. You would need to go through each of the links carefully, select the ones for your application, and ignore those broadcast and/or multicast traffic lines. What you need is a way to quickly filter out the broadcast and/or multicast traffic so you can visualize your data flow more easily.

But what if I don’t have broadcast or multicast applications?

This is a trick question. You may think you do not run any services using broadcast or multicast, and thus, you don’t face this overcrowding challenge. In fact, you may be surprised to find out that some services that come as part of server OS rely on broadcast and/or multicast traffic to operate – and enable this traffic by default. An example of this is Windows NetBIOS name services. This has been around for a long time, and many enterprise applications operate on a Windows OS. Those broadcast traffic links may reveal themselves in an application dependency map, therefore muddling the clarity of the map insights.

The simple, little known features: Broadcast and multicast features

To avoid your application visibility being clouded by broadcast and multicast traffic, Illumination provides broadcast and multicast map filters. Users can simply click on them to exclude or include broadcast/multicast traffic from their map. This improves visibility and usability, allows users to easily build policies, and saves time.

To access the filters, referring to the figure below, you can click on the Filter menu in the maps. From the drop-down, you can see the Broadcast and Multicast filter options. When they are checked, broadcast and multicast traffic is shown in the map. To hide them, simply unchecked those options. It’s that simple.


Finding a golf ball in a bush is hard. Finding the right traffic for your application does not have to be hard.

If you have broadcast and/or multicast in your environment that overcrowds your Illumination maps, try out these simple but powerful broadcast and multicast filters. It makes allocating your application flows easier, allowing you to uncover meaningful insights and write policies faster.

For more information about Illumio ASP and how it works, visit: https://www.illumio.com/products/illumio-core

Related topics

No items found.

Related articles

From Servers to Endpoints: The Benefits of Extending ZTS to Your Most Vulnerable Devices
Illumio Products

From Servers to Endpoints: The Benefits of Extending ZTS to Your Most Vulnerable Devices

From Servers to Endpoints: The Benefits of Extending ZTS to Your Most Vulnerable Devices

Little-Known Features of Illumio Core: The Illumio Map
Illumio Products

Little-Known Features of Illumio Core: The Illumio Map

Get insight into what the Illumio Map visualization offers and how it can help your team see, segment, and secure your network better.

Enforcement Boundaries: 7 Use Cases Beyond Ransomware
Illumio Products

Enforcement Boundaries: 7 Use Cases Beyond Ransomware

Enforcement Boundaries are the Swiss Army knife of risk reduction. Those famous red tools can do much more than slice some cheese and apple, and Enforcement Boundaries can do much more than just fight ransomware.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?