Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
1
Helpful
5
Replies

"NX OSv 9K" HSRP isolation not working on DCI link

Go to solution
Jay47110
Level 1
Level 1

‎03-13-2023 04:15 AM

Hi,

I'm labbing a DCI setup according to the topology diagram below. Each DC has its own VPC domain. The 9Ks act as default gateways for internal VLANs.

I want to Isolate HSRP between DCs, so I can have the same HSRP VIP active on both DCs. I am using HSRP Version 2.

Jay47110_0-1678705122859.png

 

I have used this Cisco Article as guide : Configure a Layer 2 vPC Data Center Interconnect on a Nexus 7000 Series Switch - Cisco
And have applied the following config for isolation:

ip access-list DENY_HSRP_IP
  10 deny udp any 224.0.0.2/32 eq 1985
  20 deny udp any 224.0.0.102/32 eq 1985 
  30 permit ip any any 

interface <DCI-Port-Channel>
  ip port access-group DENY_HSRP_IP in
  
interface Vlan <x>
  no ip arp gratuitous hsrp duplicate

Above config is applied as an "L2 port access-list" to all Nx9K DCI port-channels, but I am still seeing HSRP hellos being received across DCI. Seems like the multicast traffic is bypassing the port access-list. Could there be a restriction in Nx OSv causing this behaviour?

 

Kind regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎03-13-2023 05:41 AM

Hi Jay!

Nexus 9000v virtual switches do not support either routed access-lists (sometimes called "RACLs") applied to an L3 interface or port access-lists (sometimes called "PACLs") applied to an L2 interface. Although the CLI may let you apply a RACL/PACL to an interface, the feature itself is not supported at this time.

You can find a full list of supported features on Nexus 9000v virtual switches under the "Nexus 9000v Feature Support" heading of the Cisco Nexus 9000v (9300v/9500v) Guide document for your relevant NX-OS software release. If a feature is not in this list, then it is not supported, and thus the feature's behavior may be unpredictable or non-functional if configured.

I hope this helps - thank you!

-Christopher

View solution in original post

5 Replies 5

Go to solution
Christopher Hart
Cisco Employee
Cisco Employee

‎03-13-2023 05:41 AM

Hi Jay!

Nexus 9000v virtual switches do not support either routed access-lists (sometimes called "RACLs") applied to an L3 interface or port access-lists (sometimes called "PACLs") applied to an L2 interface. Although the CLI may let you apply a RACL/PACL to an interface, the feature itself is not supported at this time.

You can find a full list of supported features on Nexus 9000v virtual switches under the "Nexus 9000v Feature Support" heading of the Cisco Nexus 9000v (9300v/9500v) Guide document for your relevant NX-OS software release. If a feature is not in this list, then it is not supported, and thus the feature's behavior may be unpredictable or non-functional if configured.

I hope this helps - thank you!

-Christopher

Go to solution
Jay47110
Level 1
Level 1
In response to Christopher Hart

‎03-13-2023 06:48 AM

Thanks Chris,

Appreciate your help. 

Kind regards

0 Helpful

Go to solution
rais
Level 7
Level 7

‎03-13-2023 06:26 AM

Ain't better to use a routing protocol?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-13-2023 06:44 AM

are the PO port member is Pending ??

0 Helpful

Go to solution
mlund
Level 7
Level 7

‎03-14-2023 03:25 AM

Try to use passwords for the hsrp, different password for each side.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card