Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

HSRP with Vlan Maps

Go to solution
ciscona728
Level 1
Level 1

‎01-31-2011 05:34 AM - edited ‎03-06-2019 03:16 PM

Hello,

I was tasked to filter traffic on my network which consists of the following:

2 x Distros and a bunch of access switches.

I'm running HSRP on my vlans which works great but I have to filter outbound traffic from accessing certain things.  For example I would allow my local network to talk to another network then deny any any.  The issue exists when I apply my vlan access-map to a particular vlan.  For whatever reason HSRP stops working and both svi's on the two distros become active.  I tried vlan access maps and I've tried to apply the acl directly to the svi with the same results.

My config looks like the following

SW1

int vlan 10

ip add 192.168.1.2 255.255.255.0

standby 10 ip 192.168.1.1

standby 10 preempt

standby 10 priority 110

ip access-list extended vlan_filter

permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 10.1.10.0 0.0.0.255

deny ip any any

vlan access-map Filter
  match ip address vlan_filter
  action forward


vlan filter Filter vlan-list 10

SW2

int vlan 10

ip add 192.168.1.3 255.255.255.0

standby 10 ip 192.168.1.1

standby 10 preempt

ip access-list extended vlan_filter

permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 10.1.10.0 0.0.0.255

deny ip any any

vlan access-map Filter
   match ip address vlan_filter
   action forward


vlan filter Filter vlan-list 10

When applied that config to both switches and HSRP doesn't work at all.  If anyone has any suggestions please let me know.

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shashank Singh
Cisco Employee
Cisco Employee

‎01-31-2011 05:39 AM

Hi,

It seems that the HSRP hellos are being blocked by the ACLs. HSRP hellos are sent on multicast address 224.0.0.2 and seem to be blocked by the deny statement in the ACL.

Try adding "permit ip any 224.0.0.2 0.0.0.0" as a statement in the ACL applied on the SVI to permit hellos between the HSRP peers.

Hope this helps,

Shashank

Please rate if you found the content useful

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Shashank Singh
Cisco Employee
Cisco Employee

‎01-31-2011 05:39 AM

Hi,

It seems that the HSRP hellos are being blocked by the ACLs. HSRP hellos are sent on multicast address 224.0.0.2 and seem to be blocked by the deny statement in the ACL.

Try adding "permit ip any 224.0.0.2 0.0.0.0" as a statement in the ACL applied on the SVI to permit hellos between the HSRP peers.

Hope this helps,

Shashank

Please rate if you found the content useful

0 Helpful

Go to solution
ciscona728
Level 1
Level 1
In response to Shashank Singh

‎02-01-2011 04:42 AM

Thanks Shashank that worked like a charm.

0 Helpful

Go to solution
Shashank Singh
Cisco Employee
Cisco Employee
In response to ciscona728

‎02-01-2011 04:48 AM

Thanks for the update. glad that it worked for you

Cheers!

Shashank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card