05-09-2008 11:32 AM - edited 03-11-2019 05:42 AM
Hi,
I'm building a lab were I have a Cisco 2691 acting as a transparent (bridged) FW between two Cisco 6500 switches. I was successful in bridging VLANS across these two switches and I have successfully built layer 3 access control lists to control traffic that needs to be addressed.
However, darn multicast layer two traffic such as HSRP. I don't want HSRP to be shared between these two swicthes. I can't create a separate standby group because each switch needs to use the same standby IP.
I'm seeking out ideas as to how I can stop the passage of HSRP. Theres's likely too many mac addresses associated with HSRP updates so the method of using a layer 2 ACL might come back and bite me down the road.
Thoughts? Maybe I can block this at the switch port level keeping this traffic from ever hitting the router???
Regards
Jeff
05-10-2008 03:58 PM
Jeff,
There are a few different ways to do this. HSRP sends it's updates via multicast IP addess 224.0.0.2
Therefore, you should be able to drop all traffic to that address from any interface or vlan via an access-list or vlan-map, depending on where you configure it.
For example, if you were using a vlan-map on a 3550/3560, you'd do the following:
ip access-list extended HSRP
permit ip host 224.0.0.2 any
deny ip any any
vlan access-map HSRP-Map 10
action drop
match ip address HSRP
vlan filter HSRP-Map vlan-list 100
The vlan map matches the traffic in the access-list, in this particular secenario, it is permitting 224.0.0.2 to be dropped. In addition, it is denying everything else from being dropped. This only pertains to traffic in vlan 100, which is listed in the vlan-filter.
It seems kind of backwards at first, but once you do it a few times, it'll make sense.
If you wanted to restrict HSRP at the router, just add 'deny ip any host 224.0.0.2' to your access-list on the appropriate interface.
I'm pretty sure this should work. Give it a try and let me know!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide