Transparent IOS firewall - need to restrict HSRP advertisements
I'm building a lab were I have a Cisco 2691 acting as a transparent (bridged) FW between two Cisco 6500 switches. I was successful in bridging VLANS across these two switches and I have successfully built layer 3 access control lists to control traffic that needs to be addressed.
However, darn multicast layer two traffic such as HSRP. I don't want HSRP to be shared between these two swicthes. I can't create a separate standby group because each switch needs to use the same standby IP.
I'm seeking out ideas as to how I can stop the passage of HSRP. Theres's likely too many mac addresses associated with HSRP updates so the method of using a layer 2 ACL might come back and bite me down the road.
Thoughts? Maybe I can block this at the switch port level keeping this traffic from ever hitting the router???
Re: Transparent IOS firewall - need to restrict HSRP advertiseme
There are a few different ways to do this. HSRP sends it's updates via multicast IP addess 18.104.22.168
Therefore, you should be able to drop all traffic to that address from any interface or vlan via an access-list or vlan-map, depending on where you configure it.
For example, if you were using a vlan-map on a 3550/3560, you'd do the following:
ip access-list extended HSRP
permit ip host 22.214.171.124 any
deny ip any any
vlan access-map HSRP-Map 10
match ip address HSRP
vlan filter HSRP-Map vlan-list 100
The vlan map matches the traffic in the access-list, in this particular secenario, it is permitting 126.96.36.199 to be dropped. In addition, it is denying everything else from being dropped. This only pertains to traffic in vlan 100, which is listed in the vlan-filter.
It seems kind of backwards at first, but once you do it a few times, it'll make sense.
If you wanted to restrict HSRP at the router, just add 'deny ip any host 188.8.131.52' to your access-list on the appropriate interface.
I'm pretty sure this should work. Give it a try and let me know!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :