Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2201
Views
0
Helpful
5
Replies

How to block HSRP multicast over a trunk link

Muhammad Rafi
Level 1
Level 1

‎10-23-2013 07:41 AM - edited ‎03-07-2019 04:11 PM

A friend of mine trying to filter or block the hsrp multicast traffic over a QnQ trunk link because it is causing some issue on the network. Can you please advise if there is any possibility to block the hsrp multicast over trunk link.

Here is the scenario.

We have two DCs, lets assume DCA and DCB and there is QnQ link has been setup between two and all the vlans are going across that link and HSRP is using VLAN 10 and same group 10 on both sites, we dont want to change either the group or vlan.

Please let me know your thoughts on this and feel free to ask for more information.

Thank you in advance

Labels:
0 Helpful
5 Replies 5

daniel.dib
Level 7
Level 7

‎10-23-2013 10:12 AM

What about using Port ACL blocking packets to 224.0.0.2?

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

jamie.grive
Level 1
Level 1

‎10-24-2013 12:50 AM

Is there somewhere convenient you could apply a VACL to filter out multicast traffic from 0000.0c07.ac0a (group 10 mac in your case)?

mac access-list extended BLOCK-HSRP

permit 0000.0c07.ac0a any

vlan access-map VACL 10

match mac address BLOCK-HSRP

action drop

!

vlan access-map VACL 20

action forward

vlan filter VACL vlan-list 10

0 Helpful

Muhammad Rafi
Level 1
Level 1
In response to jamie.grive

‎10-24-2013 02:18 AM

Many thanks for your replies, we will try to apply the access-map in our scenario and see if it makes any diffrence...but what we want to first test it in the lab enviroment but unfortunately, GNS3 doesnt treat the switches well, so I am thinking if we will be able to apply the access-map in GNS3.

0 Helpful

jamie.grive
Level 1
Level 1
In response to Muhammad Rafi

‎10-24-2013 02:27 AM

The closest you can get to switches in GNS3 is NM-16ESW in the 3725 router but still you have a lot of features missing - one of them being VACL

0 Helpful

Stuart D Fordham
Level 1
Level 1
In response to jamie.grive

‎10-29-2013 08:53 AM

Hi Jamie

I am actually the friend that Muhammed has posted this on behalf of.

I have managed to finally get this working with proper hardware, to over come the limitations of emulated equipment. The VACL would have been a good idea, but it would have also probably blocked the legitimate HSRP traffic between Switch 1 and Switch 2 at Site A (and also at site B). So really it had to be done with IP based ACLs on the trunk link itself.

I cant have the ACLs in an outgoing direction, so I guess I'll have to live with the superfluous traffic going across the link, but using the ACL (as suggested by Daniel):

access-list 101 deny tcp any eq 1985 host 224.0.0.2

access-list 101 deny udp any eq 1985 host 224.0.0.2

access-list 101 permit ip any any

if this is placed at both ends of the trunk the HSRP messages from one side don't "override" the settings on the other side, still seeing the traffic but thats something I'll have to live with...

Thanks

Stuart

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card