08-02-2007 12:13 AM - edited 03-05-2019 05:39 PM
Hi,
We run HSRP and OSPF on our network. When I do a network sniff from a client, I can see the HSRP multicast traffic, and I can also see the OSPF advertisements.
Is it possible to filter these packets off client interfaces?
What's the best way of doing this?
Cheers,
Ben
Solved! Go to Solution.
08-02-2007 01:41 AM
Ben
You can configure multicast blcoking on individual ports on your switch - see attached link for configuration example.
I have not actually used this feature so i would suggest testing it if you can before implementing it on to a live system. Be aware that it blocks all multicast so only you will know whether this is acceptable or not.
Let me know how you get on
Jon
08-02-2007 01:27 AM
Hi Ben
Normally with multicast traffic you can turn on IGMP snooping on your switch and this will stop multicast being sent to all ports.
But with HSRP and OSPF even with IGMP snooping they still wouldn't be filtered. These are not the only groups that can't be filtered - anything with 224.0.0.x is the same.
Some switches do have comamnds to block multicast on ports - what type of switch do you have and what IOS version.
Jon
08-02-2007 01:30 AM
Hi Jon,
Thanks for getting back to me.
Im using C3750G Series with Advanced IP Services. IOS version is 12.2(37)SE - so fairly recent.
Ben
08-02-2007 01:41 AM
Ben
You can configure multicast blcoking on individual ports on your switch - see attached link for configuration example.
I have not actually used this feature so i would suggest testing it if you can before implementing it on to a live system. Be aware that it blocks all multicast so only you will know whether this is acceptable or not.
Let me know how you get on
Jon
08-02-2007 01:48 AM
Jon,
Thanks very much for the information. After giving this some thought - although we don't use Multicast for anything on our network yet - its only a matter of time.
I think I will live with the traffic. Its not giving away anything particularly sensitive about the network.
Ive bookmarked that link you sent me though for future reference.
Thanks for your help.
08-02-2007 03:38 AM
Hi Jon,
AFAIK "switchport block multicast" blocks unknown multicast forwarding out of the port, will this block the OSPF multicast, it would be really interesting.
HTH,
Mohammed Mahmoud.
08-02-2007 04:08 AM
Hi Mohmammed
As i said i haven't actually used this feature but i think i'll log onto our lab this afternoon and try it.
I'll let you know how i get on.
By the way how's the CCIE study going ?
Jon
08-02-2007 04:21 AM
Hi Jon,
I can't remember who i was before starting preparing for the lab :) i am trying to load share my time between Working and Studying (and thanks for my wife and kid for not compromising the bandwidth :) and for sure they'll get compensation after i finish my lab), any way its kind of fun, and its going fine thanks God.
Thank you Jon for asking, and i am really eager to know the results of your test.
Take care and have a nice day :)
BR,
Mohammed Mahmoud.
08-02-2007 08:37 AM
You can filter your ospf packets from the user interfaces by putting the interfaces in passive mode using "passive-interface default" then use no passive-interface gix/x for the ones you want the ospf packets to go out.
08-02-2007 08:53 AM
Ken,
Be careful with making such suggestion. Enabling passive-interface will break the OSPF adjacencies since hello packets won't be sent.
08-02-2007 08:44 AM
You can change the OSPF transport from multicast to unicast by using the neighbor command under the OSPF process.
It can be painful if you have a lot of OSPF neighbors but this will reduce the multicast traffic, if that's a problem for you.
Sorry, I don't have an answer for HSRP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: