cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
990
Views
5
Helpful
10
Replies

Controlling HSRP and OSPF traffic

Hi,

We run HSRP and OSPF on our network. When I do a network sniff from a client, I can see the HSRP multicast traffic, and I can also see the OSPF advertisements.

Is it possible to filter these packets off client interfaces?

What's the best way of doing this?

Cheers,

Ben

1 Accepted Solution

Accepted Solutions

Ben

You can configure multicast blcoking on individual ports on your switch - see attached link for configuration example.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a008081dfa8.html#wp1087814

I have not actually used this feature so i would suggest testing it if you can before implementing it on to a live system. Be aware that it blocks all multicast so only you will know whether this is acceptable or not.

Let me know how you get on

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Hi Ben

Normally with multicast traffic you can turn on IGMP snooping on your switch and this will stop multicast being sent to all ports.

But with HSRP and OSPF even with IGMP snooping they still wouldn't be filtered. These are not the only groups that can't be filtered - anything with 224.0.0.x is the same.

Some switches do have comamnds to block multicast on ports - what type of switch do you have and what IOS version.

Jon

Hi Jon,

Thanks for getting back to me.

Im using C3750G Series with Advanced IP Services. IOS version is 12.2(37)SE - so fairly recent.

Ben

Ben

You can configure multicast blcoking on individual ports on your switch - see attached link for configuration example.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a008081dfa8.html#wp1087814

I have not actually used this feature so i would suggest testing it if you can before implementing it on to a live system. Be aware that it blocks all multicast so only you will know whether this is acceptable or not.

Let me know how you get on

Jon

Jon,

Thanks very much for the information. After giving this some thought - although we don't use Multicast for anything on our network yet - its only a matter of time.

I think I will live with the traffic. Its not giving away anything particularly sensitive about the network.

Ive bookmarked that link you sent me though for future reference.

Thanks for your help.

Hi Jon,

AFAIK "switchport block multicast" blocks unknown multicast forwarding out of the port, will this block the OSPF multicast, it would be really interesting.

HTH,

Mohammed Mahmoud.

Hi Mohmammed

As i said i haven't actually used this feature but i think i'll log onto our lab this afternoon and try it.

I'll let you know how i get on.

By the way how's the CCIE study going ?

Jon

Hi Jon,

I can't remember who i was before starting preparing for the lab :) i am trying to load share my time between Working and Studying (and thanks for my wife and kid for not compromising the bandwidth :) and for sure they'll get compensation after i finish my lab), any way its kind of fun, and its going fine thanks God.

Thank you Jon for asking, and i am really eager to know the results of your test.

Take care and have a nice day :)

BR,

Mohammed Mahmoud.

kspinks
Level 1
Level 1

You can filter your ospf packets from the user interfaces by putting the interfaces in passive mode using "passive-interface default" then use no passive-interface gix/x for the ones you want the ospf packets to go out.

Ken,

Be careful with making such suggestion. Enabling passive-interface will break the OSPF adjacencies since hello packets won't be sent.

Edison Ortiz
Hall of Fame
Hall of Fame

You can change the OSPF transport from multicast to unicast by using the neighbor command under the OSPF process.

It can be painful if you have a lot of OSPF neighbors but this will reduce the multicast traffic, if that's a problem for you.

Sorry, I don't have an answer for HSRP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco