Transparent bridge - traffic filtering

Unanswered Question
Sep 12th, 2007
User Badges:


I have a big bridged network (transparent bridging over GRE). Almost 100 sites are connected to one router. I would like to prevent broadcast, multicast etc. traffic to flow back to the other tunnels. I need to get the traffic to folw into one direction. Is it possible to filter the traffic?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Wed, 09/12/2007 - 03:44
User Badges:
  • Red, 2250 points or more

Looks like you are in urgent need of a network redesign.

Transferring from a bridged to a routed environment will solve your problem and give a much better overall performance without the need for filters.



GombasPeter Wed, 09/12/2007 - 04:13
User Badges:

Hello Leo,

Thanks for the reply. I would love to route the traffic but there is a special application on a cetnral server which was designed for bridged environment. So I need to bridge over a routed environment and I would like to minimize the traffic.


lgijssel Wed, 09/12/2007 - 04:33
User Badges:
  • Red, 2250 points or more

In that case, you should look at only allowing traffic that is needed for this application over the bridges.

Show us some config and details about your requirements.

Does this application run on top of IP?



GombasPeter Wed, 09/12/2007 - 04:54
User Badges:

That is what I am looking for. I have at about 100 sites connecting to a central router via GRE tunnel. On the remote site I put the LAN interface and the GRE tunnel into one bridge-group. On the central site I put the GRE interfaces and the interface to the server also to one bridge group. So I got a huge bridged network, which works, except of the huge overhead generated on the router. I need to filter broadcast, multicast eg. traffic to go from one tunnel to all the others.

The software itself has its own DHCP server, so I can not filter too much on the remote end.

What I need is to prevent layer 2 broadcast traffic to go into any of the GRE tunnels at the central site as the software will send unicast traffic.

The configuration is quite simple, just IRB and GRE is configured for this traffic. CDP, keepalives, spanning-tree is disabled, to lower the overhead.

GombasPeter Wed, 09/12/2007 - 05:17
User Badges:

Unfortunately I can not configure that kind of access list on a GRE interface and I am using a 2811 router. I was thinking on subscriber-policy commands but at the moment I don't know how would they help.

lgijssel Wed, 09/12/2007 - 05:21
User Badges:
  • Red, 2250 points or more

I think you should configure this on the bridge interface on the LAN where your server resides.

Posting the config would really help.


paul.matthews Wed, 09/12/2007 - 07:02
User Badges:
  • Silver, 250 points or more

On the lan interface you need somthing like;

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7890 0000.0000.0000

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7891 0000.0000.0000

etc adding the addresses of the central application servers.

int fe0/1

bridge-group 1 input-address-list 1101

The smaller the access lists, the easier they are to manage - if you had cards from a different vendor in the servers you may be able to filter just on the manufacturers prefix, though that may permit a little more traffic. If the addresses were close together, you could tighten up quite a bit.



This Discussion