10-23-2013 07:41 AM - edited 03-07-2019 04:11 PM
A friend of mine trying to filter or block the hsrp multicast traffic over a QnQ trunk link because it is causing some issue on the network. Can you please advise if there is any possibility to block the hsrp multicast over trunk link.
Here is the scenario.
We have two DCs, lets assume DCA and DCB and there is QnQ link has been setup between two and all the vlans are going across that link and HSRP is using VLAN 10 and same group 10 on both sites, we dont want to change either the group or vlan.
Please let me know your thoughts on this and feel free to ask for more information.
Thank you in advance
10-23-2013 10:12 AM
What about using Port ACL blocking packets to 224.0.0.2?
10-24-2013 12:50 AM
Is there somewhere convenient you could apply a VACL to filter out multicast traffic from 0000.0c07.ac0a (group 10 mac in your case)?
mac access-list extended BLOCK-HSRP
permit 0000.0c07.ac0a any
vlan access-map VACL 10
match mac address BLOCK-HSRP
action drop
!
vlan access-map VACL 20
action forward
vlan filter VACL vlan-list 10
10-24-2013 02:18 AM
Many thanks for your replies, we will try to apply the access-map in our scenario and see if it makes any diffrence...but what we want to first test it in the lab enviroment but unfortunately, GNS3 doesnt treat the switches well, so I am thinking if we will be able to apply the access-map in GNS3.
10-24-2013 02:27 AM
The closest you can get to switches in GNS3 is NM-16ESW in the 3725 router but still you have a lot of features missing - one of them being VACL
10-29-2013 08:53 AM
Hi Jamie
I am actually the friend that Muhammed has posted this on behalf of.
I have managed to finally get this working with proper hardware, to over come the limitations of emulated equipment. The VACL would have been a good idea, but it would have also probably blocked the legitimate HSRP traffic between Switch 1 and Switch 2 at Site A (and also at site B). So really it had to be done with IP based ACLs on the trunk link itself.
I cant have the ACLs in an outgoing direction, so I guess I'll have to live with the superfluous traffic going across the link, but using the ACL (as suggested by Daniel):
access-list 101 deny tcp any eq 1985 host 224.0.0.2
access-list 101 deny udp any eq 1985 host 224.0.0.2
access-list 101 permit ip any any
if this is placed at both ends of the trunk the HSRP messages from one side don't "override" the settings on the other side, still seeing the traffic but thats something I'll have to live with...
Thanks
Stuart
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide