Transparent bridge - traffic filtering

GombasPeter · ‎09-12-2007

Hello,

I have a big bridged network (transparent bridging over GRE). Almost 100 sites are connected to one router. I would like to prevent broadcast, multicast etc. traffic to flow back to the other tunnels. I need to get the traffic to folw into one direction. Is it possible to filter the traffic?

lgijssel · ‎09-12-2007

Looks like you are in urgent need of a network redesign.

Transferring from a bridged to a routed environment will solve your problem and give a much better overall performance without the need for filters.

regards,

Leo

GombasPeter · ‎09-12-2007

Hello Leo,

Thanks for the reply. I would love to route the traffic but there is a special application on a cetnral server which was designed for bridged environment. So I need to bridge over a routed environment and I would like to minimize the traffic.

Thanks

lgijssel · ‎09-12-2007

In that case, you should look at only allowing traffic that is needed for this application over the bridges.

Show us some config and details about your requirements.

Does this application run on top of IP?

regards,

Leo

GombasPeter · ‎09-12-2007

That is what I am looking for. I have at about 100 sites connecting to a central router via GRE tunnel. On the remote site I put the LAN interface and the GRE tunnel into one bridge-group. On the central site I put the GRE interfaces and the interface to the server also to one bridge group. So I got a huge bridged network, which works, except of the huge overhead generated on the router. I need to filter broadcast, multicast eg. traffic to go from one tunnel to all the others.

The software itself has its own DHCP server, so I can not filter too much on the remote end.

What I need is to prevent layer 2 broadcast traffic to go into any of the GRE tunnels at the central site as the software will send unicast traffic.

The configuration is quite simple, just IRB and GRE is configured for this traffic. CDP, keepalives, spanning-tree is disabled, to lower the overhead.

lgijssel · ‎09-12-2007

Perhaps you can do something with this link:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml#sample_config

It describes how to set up mac access-lists. Perhaps you can start by allowing only traffic originating from the source-mac of your server.

regards,

Leo

GombasPeter · ‎09-12-2007

Unfortunately I can not configure that kind of access list on a GRE interface and I am using a 2811 router. I was thinking on subscriber-policy commands but at the moment I don't know how would they help.

lgijssel · ‎09-12-2007

I think you should configure this on the bridge interface on the LAN where your server resides.

Posting the config would really help.

Leo

paul.matthews · ‎09-12-2007

On the lan interface you need somthing like;

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7890 0000.0000.0000

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7891 0000.0000.0000

etc adding the addresses of the central application servers.

int fe0/1

bridge-group 1 input-address-list 1101

The smaller the access lists, the easier they are to manage - if you had cards from a different vendor in the servers you may be able to filter just on the manufacturers prefix, though that may permit a little more traffic. If the addresses were close together, you could tighten up quite a bit.

Paul.