Re: HSRP Multicast packet recieved on incorrect interface

mandarkulkarni1 · ‎09-14-2017

I am recieving HSRP multicast packet on my firewall interface and in turn firewall is dropping it.

I have nexus switch connected through VPC in point to point manner not sure why traffic is going to firewall interface inturn firewall dropping that packet.

How can we check which link HSRP mulicast is using packet ?

Andrea Testino · ‎09-15-2017

Hi there,

I would imagine in your Nexus setup, it's SVIs that are configured with HSRP as opposed to physical L3 interfaces, correct?

If so, if your connection between the Nexus pair and the firewall is in L2 - The Nexus will be flooding HSRP Multicast Hellos on the allowed VLANs for said switchport for which it has a corresponding SVI in HSRP. This is normal and expected behavior.

To illustrate:

+----------+
|  FW      |
+----+-----+
     |
     |  L2
     |
+----+-----+  VPC Peer-L +----------+
| Nexus 1  +-------------+ Nexus 2  |
+----+-----+             +----------+
     |
     | L2 Trunk
     |
+----+-----+
| Catalyst |
+----------+

In the above setup, if I have "interface vlan 10" configured on both Nexus, and HSRP group 10 under this SVI's configuration - The Nexus will send the HSRP Multicast Hello looking for other HSRP routers in VLAN 10 out of all Layer 2 ports which are in an STP Forwarding State for VLAN 10. This means that both the Firewall and the Catalyst will receive these HSRP Hello as well as the other Nexus peer.

Hope that helps.

- Andrea

- Andrea, CCIE #56739 R&S