cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1181
Views
10
Helpful
3
Replies

How to stop VRRP announcement from reaching clients

RakanPastore
Level 1
Level 1

Hello, hope you having a good day.

I am using SVIs in Layer 3 switch, and using them as gateways for clients. and i am using vrrp for redundancy, but what i am seeing that vrrp messages are reaching clients that are in the same vlan which is useless, for example i am using int vlan 20 in MLS-5 as master and int vlan 20 in MLS-6 as backup
Is there is any way to stop this ?

1 Accepted Solution

Accepted Solutions

Hello,

 

VRRP uses multicast address 224.0.0.18. Since you try to block intra-Vlan traffic, a VACL would work. In the example below, your VRRP virtual address is 192.168.1.3, the addresses of the physical interfaces are 192.168.1.1 and 192.168.1.2. Your Vlan is 10. Change these according to what you have configured. The VACL needs to be applied to both (or all) switches participating in VRRP:

 

access-list 100 deny ip host 192.168.1.1 host 224.0.0.18
access-list 100 deny ip host 192.168.1.2 host 224.0.0.18
access-list 100 deny ip host 192.168.1.3 host 224.0.0.18
access-list 100 permit ip any host 224.0.0.18
!
vlan access-map BLOCK_VRRP 10
match ip address 100
action drop
!
vlan access-map BLOCK_VRRP 20
action forward
!
vlan-filter BLOCK_VRRP vlan-list 10

View solution in original post

3 Replies 3

Hello,

 

VRRP uses multicast address 224.0.0.18. Since you try to block intra-Vlan traffic, a VACL would work. In the example below, your VRRP virtual address is 192.168.1.3, the addresses of the physical interfaces are 192.168.1.1 and 192.168.1.2. Your Vlan is 10. Change these according to what you have configured. The VACL needs to be applied to both (or all) switches participating in VRRP:

 

access-list 100 deny ip host 192.168.1.1 host 224.0.0.18
access-list 100 deny ip host 192.168.1.2 host 224.0.0.18
access-list 100 deny ip host 192.168.1.3 host 224.0.0.18
access-list 100 permit ip any host 224.0.0.18
!
vlan access-map BLOCK_VRRP 10
match ip address 100
action drop
!
vlan access-map BLOCK_VRRP 20
action forward
!
vlan-filter BLOCK_VRRP vlan-list 10

Hello, thank you for replying 
i tried this commands, but it didn't work, but i think because i am using IOU in gns3, i don't think VACL works in emulated switches

Hello,

 

indeed, VACLs don't work in GNS3. Seems to be a bug in these images. I am pretty sure it will work on 'real' switches.

Review Cisco Networking for a $25 gift card