Illumio Products

Little Known Features of Illumio ASP – Broadcast and Multicast Filters


Have you ever tried to find a golf ball in a bush, a ring at a beach, or something similar? If you have, you know how hard that can be. It takes time, requires lots of concentration, and the processes can be arduous.

Illumio’s Adaptive Security Platform (ASP) provides a real-time application dependency map, known as Illumination. The map draws a traffic line for every flow between any two workloads. These lines help users easily identify communications and quickly access details about the traffic between them.

Although this visibility helps users build policies, the map can be noisy with many traffic lines, particularly when broadcast and multicast traffic is present. That line density can make traffic identification difficult – like finding a golf ball in a bush.

Broadcast and multicast traffic can lower your application visibility

Today, enterprises rely on many connected applications and services to run their business. Some applications and services talk to one another through something known as a unicast, which sends traffic to only one peer at a time. Alternatively, others leverage broadcast and/or multicast to operate. Regardless of whether the traffic is unicast, broadcast, or multicast, Illumination visualizes traffic lines on its maps. This give users great traffic visibility in their environment.

That said, as mentioned above, the maps can become unnecessarily overcrowded with the presence of broadcast and multicast.

When a workload sends out broadcast traffic, all workloads in the broadcast domain receive it and report it to Illumio ASP. As a result, each received workload has traffic lines connecting workload activity. The total number of links depends on the size of a subnet. For example, in a fully populated /24 IP subnet, broadcast traffic from one workload can generate 253 traffic links.

Below are two views of Illumination. The first shows the map with only unicast traffic flows, and the second shows the map with unicast, broadcast, and multicast.

Figure 1 – An Illumination map with only unicast traffic lines

Figure 2 – An Illumination map with unicast, broadcast, and multicast traffic lines

Comparing the two maps, it is obvious that the second is much more crowded than the first, due to the visualization of broadcast and multicast traffic.

Imagine you are going to write policies to cover your applications that have nothing to do with the broadcast or multicast traffic. You would need to go through each of the links carefully, select the ones for your application, and ignore those broadcast and/or multicast traffic lines. What you need is a way to quickly filter out the broadcast and/or multicast traffic so you can visualize your data flow more easily.

But what if I don’t have broadcast or multicast applications?

This is a trick question. You may think you do not run any services using broadcast or multicast, and thus, you don’t face this overcrowding challenge. In fact, you may be surprised to find out that some services that come as part of server OS rely on broadcast and/or multicast traffic to operate – and enable this traffic by default. An example of this is Windows NetBIOS name services. This has been around for a long time, and many enterprise applications operate on a Windows OS. Those broadcast traffic links may reveal themselves in an application dependency map, therefore muddling the clarity of the map insights.

The simple, little known features: Broadcast and multicast features

To avoid your application visibility being clouded by broadcast and multicast traffic, Illumination provides broadcast and multicast map filters. Users can simply click on them to exclude or include broadcast/multicast traffic from their map. This improves visibility and usability, allows users to easily build policies, and saves time.

To access the filters, referring to the figure below, you can click on the Filter menu in the maps. From the drop-down, you can see the Broadcast and Multicast filter options. When they are checked, broadcast and multicast traffic is shown in the map. To hide them, simply unchecked those options. It’s that simple.


Finding a golf ball in a bush is hard. Finding the right traffic for your application does not have to be hard.

If you have broadcast and/or multicast in your environment that overcrowds your Illumination maps, try out these simple but powerful broadcast and multicast filters. It makes allocating your application flows easier, allowing you to uncover meaningful insights and write policies faster.

For more information about Illumio ASP and how it works, visit: https://www.illumio.com/products/illumio-core

Related topics

No items found.

Related articles

Enforcement Boundaries: 7 Use Cases Beyond Ransomware
Illumio Products

Enforcement Boundaries: 7 Use Cases Beyond Ransomware

Enforcement Boundaries are the Swiss Army knife of risk reduction. Those famous red tools can do much more than slice some cheese and apple, and Enforcement Boundaries can do much more than just fight ransomware.

New Updates to Illumio Core Accelerate Zero Trust Security
Illumio Products

New Updates to Illumio Core Accelerate Zero Trust Security

Updates to Illumio Core will accelerate your organization's path to Zero Trust Security. Learn more in this blog post.

Little-Known Features of Illumio Core: Analyzing Network Flows With Mesh
Illumio Products

Little-Known Features of Illumio Core: Analyzing Network Flows With Mesh

Learn how Mesh shows multiple data dimensions at once to provide a clearer picture of how each data point interacts with its environment.

No items found.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?