Solved: Re: Suppressing 224.0.0.2 multicast from Core Switches

mvsheik123 · ‎10-12-2010

Hello all,

2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.

TIA

MS

Jon Marshall · ‎10-12-2010

mvsheik123 wrote:
Hello all,
2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.
TIA
MS

Do you have HSRP configured on the coer switch interfaces or SVIs that connect to the firewalls ?

If so then yes you will see this and you won't necessarily see return traffic because 224.0.0.2 is used by HSRP as you say. The IPS sees it because i'm assuming the core switch interfaces and the firewall interfaces connecting to each other are in the same subnet ie. the same L2 vlan.

Jon

View solution in original post

Jon Marshall · ‎10-12-2010

mvsheik123 wrote:
Hello all,
2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.
TIA
MS

Do you have HSRP configured on the coer switch interfaces or SVIs that connect to the firewalls ?

If so then yes you will see this and you won't necessarily see return traffic because 224.0.0.2 is used by HSRP as you say. The IPS sees it because i'm assuming the core switch interfaces and the firewall interfaces connecting to each other are in the same subnet ie. the same L2 vlan.

Jon

mvsheik123 · ‎10-12-2010

Correct Jon. Both the FW inside i/f connects to both switch ports with same Vlan & HSRP between SVIs. Is there a way to suppress this?

Thanks

MS

Jon Marshall · ‎10-12-2010

mvsheik123 wrote:

Correct Jon. Both the FW inside i/f connects to both switch ports with same Vlan & HSRP between SVIs. Is there a way to suppress this?

Thanks

MS

Well you wouldn't want to suppress it between the 2 SVI interfaces.

224.0.0.x addressing is difficult because even if you turn on IGMP snooping it has not effect on 224.0.0.x addressing. Also even if you tried to use an acl outbound on the SVI it wouldn't affect traffic generated by the device itself.

I suppose you could try vacl's which you may able to use to block the multicast going to the firewalls and hence via the IPS but i don't know for sure if that would work as i have never tried it.

Jon

mvsheik123 · ‎10-12-2010

Thanks again Jon. I do not want to supress HSRP hellos between SVIs. I will check on VACL.

Thanks

MS