09-01-2021 02:13 PM - edited 09-01-2021 02:53 PM
Working with 4500X and 2960X switches. I have HSRP running on all of the L3 interfaces, mostly vlans. Is there a way to not send HSRP broadcasts down every interface and only limit it to interfaces connected to other switches?
Everytime I startup wireshark on a server connected to a switch I have to !(hsrp) or else I get spammed. HSRP doesn't need to be sent to any endpoints like that.
EDIT: To clarify, I see HSRP "hello" packets on every interface in the vlan for which the corresponding HSRP group is configured for.
09-01-2021 02:23 PM - edited 09-01-2021 05:01 PM
....
09-01-2021 02:54 PM
I've read up on that command, never used it before. I don't see how exactly it would help.
09-01-2021 05:00 PM
01-07-2025 09:33 PM
Good afternoon - I realise I'm replying to a bit of an old thread here so my apologies up front for that.
We're trying to implement this solution, over 4 Nexus 3500s.
I can get it to work if I attach the ACL to an interface directly (E1/1 for example) but not if I use port channels. (Po3 made of E1/1-2).
Do you know if that behaviour is expected?
01-08-2025 04:43 AM
You can try to apply the ACL to both physical interfaces in the port channel.
01-08-2025 03:11 PM
Morning David, thanks for the response!
I've tried that - it comes back and says it can't do it while they're in a port channel.
dc-cen-a(config-if)# int e1/1-2 dc-cen-a(config-if-range)# ip port access-group DHI in Cannot apply ACL to an interface that is a port-channel member dc-cen-a(config-if-range)#
When I remove them from the group and then add the configuration and then add them back to the group it strips the command:
dc-cen-a# conf t Enter configuration commands, one per line. End with CNTL/Z. dc-cen-a(config)# int po3000 dc-cen-a(config-if)# ip port access-group DHI in dc-cen-a(config-if)# int e1/1-2 dc-cen-a(config-if-range)# no channel-group dc-cen-a(config-if-range)# ip port access-group DHI in dc-cen-a(config-if-range)# channel-group 3000 mode active dc-cen-a(config-if-range)# end dc-cen-a# show run int e1/1-2 !Command: show running-config interface Ethernet1/1-2 !Running configuration last done at: Wed Jan 8 23:10:30 2025 !Time: Wed Jan 8 23:10:30 2025 version 9.3(13) Bios:version 5.6.0 interface Ethernet1/1 description DCI-BENA switchport mode trunk switchport trunk allowed vlan 10,20,30,40 channel-group 3000 mode active interface Ethernet1/2 description DCI-BENA switchport mode trunk switchport trunk allowed vlan 10,20,30,40 channel-group 3000 mode active dc-cen-a# show run int po3000 !Command: show running-config interface port-channel3000 !Running configuration last done at: Wed Jan 8 23:10:30 2025 !Time: Wed Jan 8 23:10:33 2025 version 9.3(13) Bios:version 5.6.0 interface port-channel3000 switchport mode trunk switchport trunk allowed vlan 10,20,30,40 ip port access-group DHI in spanning-tree port type network vpc 3000 dc-cen-a#
Any thoughts?
09-01-2021 05:01 PM
sorry I though you want to reduce the HSRP message per interface not per VLAN port, please see below method.
01-08-2025 04:55 PM
Not sure. I would try and open a new thread so the community can help as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide