09-12-2007 03:40 AM - edited 03-05-2019 06:25 PM
Hello,
I have a big bridged network (transparent bridging over GRE). Almost 100 sites are connected to one router. I would like to prevent broadcast, multicast etc. traffic to flow back to the other tunnels. I need to get the traffic to folw into one direction. Is it possible to filter the traffic?
09-12-2007 03:44 AM
Looks like you are in urgent need of a network redesign.
Transferring from a bridged to a routed environment will solve your problem and give a much better overall performance without the need for filters.
regards,
Leo
09-12-2007 04:13 AM
Hello Leo,
Thanks for the reply. I would love to route the traffic but there is a special application on a cetnral server which was designed for bridged environment. So I need to bridge over a routed environment and I would like to minimize the traffic.
Thanks
09-12-2007 04:33 AM
In that case, you should look at only allowing traffic that is needed for this application over the bridges.
Show us some config and details about your requirements.
Does this application run on top of IP?
regards,
Leo
09-12-2007 04:54 AM
That is what I am looking for. I have at about 100 sites connecting to a central router via GRE tunnel. On the remote site I put the LAN interface and the GRE tunnel into one bridge-group. On the central site I put the GRE interfaces and the interface to the server also to one bridge group. So I got a huge bridged network, which works, except of the huge overhead generated on the router. I need to filter broadcast, multicast eg. traffic to go from one tunnel to all the others.
The software itself has its own DHCP server, so I can not filter too much on the remote end.
What I need is to prevent layer 2 broadcast traffic to go into any of the GRE tunnels at the central site as the software will send unicast traffic.
The configuration is quite simple, just IRB and GRE is configured for this traffic. CDP, keepalives, spanning-tree is disabled, to lower the overhead.
09-12-2007 05:06 AM
Perhaps you can do something with this link:
It describes how to set up mac access-lists. Perhaps you can start by allowing only traffic originating from the source-mac of your server.
regards,
Leo
09-12-2007 05:17 AM
Unfortunately I can not configure that kind of access list on a GRE interface and I am using a 2811 router. I was thinking on subscriber-policy commands but at the moment I don't know how would they help.
09-12-2007 05:21 AM
I think you should configure this on the bridge interface on the LAN where your server resides.
Posting the config would really help.
Leo
09-12-2007 07:02 AM
On the lan interface you need somthing like;
acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7890 0000.0000.0000
acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7891 0000.0000.0000
etc adding the addresses of the central application servers.
int fe0/1
bridge-group 1 input-address-list 1101
The smaller the access lists, the easier they are to manage - if you had cards from a different vendor in the servers you may be able to filter just on the manufacturers prefix, though that may permit a little more traffic. If the addresses were close together, you could tighten up quite a bit.
Paul.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide