Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transparent bridge - traffic filtering

Hello,

I have a big bridged network (transparent bridging over GRE). Almost 100 sites are connected to one router. I would like to prevent broadcast, multicast etc. traffic to flow back to the other tunnels. I need to get the traffic to folw into one direction. Is it possible to filter the traffic?

8 REPLIES

Re: Transparent bridge - traffic filtering

Looks like you are in urgent need of a network redesign.

Transferring from a bridged to a routed environment will solve your problem and give a much better overall performance without the need for filters.

regards,

Leo

New Member

Re: Transparent bridge - traffic filtering

Hello Leo,

Thanks for the reply. I would love to route the traffic but there is a special application on a cetnral server which was designed for bridged environment. So I need to bridge over a routed environment and I would like to minimize the traffic.

Thanks

Re: Transparent bridge - traffic filtering

In that case, you should look at only allowing traffic that is needed for this application over the bridges.

Show us some config and details about your requirements.

Does this application run on top of IP?

regards,

Leo

New Member

Re: Transparent bridge - traffic filtering

That is what I am looking for. I have at about 100 sites connecting to a central router via GRE tunnel. On the remote site I put the LAN interface and the GRE tunnel into one bridge-group. On the central site I put the GRE interfaces and the interface to the server also to one bridge group. So I got a huge bridged network, which works, except of the huge overhead generated on the router. I need to filter broadcast, multicast eg. traffic to go from one tunnel to all the others.

The software itself has its own DHCP server, so I can not filter too much on the remote end.

What I need is to prevent layer 2 broadcast traffic to go into any of the GRE tunnels at the central site as the software will send unicast traffic.

The configuration is quite simple, just IRB and GRE is configured for this traffic. CDP, keepalives, spanning-tree is disabled, to lower the overhead.

Re: Transparent bridge - traffic filtering

Perhaps you can do something with this link:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml#sample_config

It describes how to set up mac access-lists. Perhaps you can start by allowing only traffic originating from the source-mac of your server.

regards,

Leo

New Member

Re: Transparent bridge - traffic filtering

Unfortunately I can not configure that kind of access list on a GRE interface and I am using a 2811 router. I was thinking on subscriber-policy commands but at the moment I don't know how would they help.

Re: Transparent bridge - traffic filtering

I think you should configure this on the bridge interface on the LAN where your server resides.

Posting the config would really help.

Leo

Re: Transparent bridge - traffic filtering

On the lan interface you need somthing like;

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7890 0000.0000.0000

acce 1101 pe 0000.0000.0000 ffff.ffff.ffff 0012.3456.7891 0000.0000.0000

etc adding the addresses of the central application servers.

int fe0/1

bridge-group 1 input-address-list 1101

The smaller the access lists, the easier they are to manage - if you had cards from a different vendor in the servers you may be able to filter just on the manufacturers prefix, though that may permit a little more traffic. If the addresses were close together, you could tighten up quite a bit.

Paul.

209
Views
0
Helpful
8
Replies