Transparent IOS firewall - need to restrict HSRP advertisements

jkrawczyk · ‎05-09-2008

Hi,

I'm building a lab were I have a Cisco 2691 acting as a transparent (bridged) FW between two Cisco 6500 switches. I was successful in bridging VLANS across these two switches and I have successfully built layer 3 access control lists to control traffic that needs to be addressed.

However, darn multicast layer two traffic such as HSRP. I don't want HSRP to be shared between these two swicthes. I can't create a separate standby group because each switch needs to use the same standby IP.

I'm seeking out ideas as to how I can stop the passage of HSRP. Theres's likely too many mac addresses associated with HSRP updates so the method of using a layer 2 ACL might come back and bite me down the road.

Thoughts? Maybe I can block this at the switch port level keeping this traffic from ever hitting the router???

Regards

Jeff

pblack · ‎05-10-2008

Jeff,

There are a few different ways to do this. HSRP sends it's updates via multicast IP addess 224.0.0.2

Therefore, you should be able to drop all traffic to that address from any interface or vlan via an access-list or vlan-map, depending on where you configure it.

For example, if you were using a vlan-map on a 3550/3560, you'd do the following:

ip access-list extended HSRP

permit ip host 224.0.0.2 any

deny ip any any

vlan access-map HSRP-Map 10

action drop

match ip address HSRP

vlan filter HSRP-Map vlan-list 100

The vlan map matches the traffic in the access-list, in this particular secenario, it is permitting 224.0.0.2 to be dropped. In addition, it is denying everything else from being dropped. This only pertains to traffic in vlan 100, which is listed in the vlan-filter.

It seems kind of backwards at first, but once you do it a few times, it'll make sense.

If you wanted to restrict HSRP at the router, just add 'deny ip any host 224.0.0.2' to your access-list on the appropriate interface.

I'm pretty sure this should work. Give it a try and let me know!