Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
2
Replies

Vlan extension over OTV

Go to solution
sandeep28585
Level 1
Level 1

‎09-05-2017 08:06 AM - edited ‎03-01-2019 08:37 AM

Hi ,

In my current scenario both firewalls are acting as Master/Slave and the L2 vlan extension is done via trunk between the two switches.Now i am in a situation where i have to migrate all the connections to N5K/N2K solution but the issue comes when firewall comes into picture as one vlan having HSRP running between DCs.The issue comes when we migrate the legacy infra to N5K/N2K solution as currenlty only two switches are paticipating in HSRP.Once we migrate HSRP will be running between all Four N5K.Need your suggestions whether we need to filter HSRP packets in OTV.But if we filters it then how the firewalls communicate/Sync with each other.Please share your suggestions.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rick1776
Level 5
Level 5

‎10-05-2017 08:59 AM

The config will look something like this...

ip access-list ALL_IPs
10 permit ip any any
!
mac access-list ALL_MACs
10 permit any any
!
ip access-list HSRP_IP
10 permit udp any 224.0.0.2/32 eq 1985
20 permit udp any 224.0.0.102/32 eq 1985
!
mac access-list HSRP_VMAC
10 permit 0000.0c07.ac00 0000.0000.00ff any
20 permit 0000.0c9f.f000 0000.0000.0fff any
!
arp access-list HSRP_VMAC_ARP
10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
30 permit ip any mac any
vlan access-map HSRP_Localization 10
match mac address HSRP_VMAC
match ip address HSRP_IP
action drop
vlan access-map HSRP_Localization 20
match mac address ALL_MACs
match ip address ALL_IPs
action forward
!


This is an older guide but still relevant.
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro.pdf?dtid=osscdc000283

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rick1776
Level 5
Level 5

‎10-05-2017 08:54 AM

You assumptions are correct. You're going to have to stop the HSRP control-plane from traversing the OTV link. In order to do this you'll need to configure VACL's and MACL's.

Please check out this guide.

https://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/guide_c07-728315.pdf
0 Helpful

Go to solution
Rick1776
Level 5
Level 5

‎10-05-2017 08:59 AM

The config will look something like this...

ip access-list ALL_IPs
10 permit ip any any
!
mac access-list ALL_MACs
10 permit any any
!
ip access-list HSRP_IP
10 permit udp any 224.0.0.2/32 eq 1985
20 permit udp any 224.0.0.102/32 eq 1985
!
mac access-list HSRP_VMAC
10 permit 0000.0c07.ac00 0000.0000.00ff any
20 permit 0000.0c9f.f000 0000.0000.0fff any
!
arp access-list HSRP_VMAC_ARP
10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
30 permit ip any mac any
vlan access-map HSRP_Localization 10
match mac address HSRP_VMAC
match ip address HSRP_IP
action drop
vlan access-map HSRP_Localization 20
match mac address ALL_MACs
match ip address ALL_IPs
action forward
!


This is an older guide but still relevant.
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/whitepaper/DCI3_OTV_Intro.pdf?dtid=osscdc000283
0 Helpful
Customers Also Viewed These Support Documents