Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Transparent IOS firewall - need to restrict HSRP advertisements


I'm building a lab were I have a Cisco 2691 acting as a transparent (bridged) FW between two Cisco 6500 switches. I was successful in bridging VLANS across these two switches and I have successfully built layer 3 access control lists to control traffic that needs to be addressed.

However, darn multicast layer two traffic such as HSRP. I don't want HSRP to be shared between these two swicthes. I can't create a separate standby group because each switch needs to use the same standby IP.

I'm seeking out ideas as to how I can stop the passage of HSRP. Theres's likely too many mac addresses associated with HSRP updates so the method of using a layer 2 ACL might come back and bite me down the road.

Thoughts? Maybe I can block this at the switch port level keeping this traffic from ever hitting the router???



New Member

Re: Transparent IOS firewall - need to restrict HSRP advertiseme


There are a few different ways to do this. HSRP sends it's updates via multicast IP addess

Therefore, you should be able to drop all traffic to that address from any interface or vlan via an access-list or vlan-map, depending on where you configure it.

For example, if you were using a vlan-map on a 3550/3560, you'd do the following:

ip access-list extended HSRP

permit ip host any

deny ip any any

vlan access-map HSRP-Map 10

action drop

match ip address HSRP

vlan filter HSRP-Map vlan-list 100

The vlan map matches the traffic in the access-list, in this particular secenario, it is permitting to be dropped. In addition, it is denying everything else from being dropped. This only pertains to traffic in vlan 100, which is listed in the vlan-filter.

It seems kind of backwards at first, but once you do it a few times, it'll make sense.

If you wanted to restrict HSRP at the router, just add 'deny ip any host' to your access-list on the appropriate interface.

I'm pretty sure this should work. Give it a try and let me know!

CreatePlease to create content