Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Suppressing 224.0.0.2 multicast from Core Switches

Hello all,

2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.

TIA

MS

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Suppressing 224.0.0.2 multicast from Core Switches

mvsheik123 wrote:

Hello all,

2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.

TIA

MS


Do you have HSRP configured on the coer switch interfaces or SVIs that connect to the firewalls ?

If so then yes you will see this and you won't necessarily see return traffic because 224.0.0.2 is used by HSRP as you say. The IPS sees it because i'm assuming the core switch interfaces and the firewall interfaces connecting to each other are in the same subnet ie. the same L2 vlan.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Suppressing 224.0.0.2 multicast from Core Switches

mvsheik123 wrote:

Hello all,

2 Core switch connected to 2 edge Firewals all running OSPF. IPS is inline (Switches --> IPS--> ASA). The IPS regestering multicast to address 224.0.0.2 (all-routers/ also used for HSRP) from both core switches via port 1985. Matching fiter is : IP: Short Time to Live (1). No return traffic observed from any where. What exactly this is for and how to disable this traffic originating from core switches if its nothing to do with any used traffic. No multicast enabled applications in the infra.

TIA

MS


Do you have HSRP configured on the coer switch interfaces or SVIs that connect to the firewalls ?

If so then yes you will see this and you won't necessarily see return traffic because 224.0.0.2 is used by HSRP as you say. The IPS sees it because i'm assuming the core switch interfaces and the firewall interfaces connecting to each other are in the same subnet ie. the same L2 vlan.

Jon

Re: Suppressing 224.0.0.2 multicast from Core Switches

Correct Jon. Both the FW inside i/f connects to both switch ports with same Vlan & HSRP between SVIs. Is there a way to suppress this?

Thanks

MS

Hall of Fame Super Blue

Re: Suppressing 224.0.0.2 multicast from Core Switches

mvsheik123 wrote:

Correct Jon. Both the FW inside i/f connects to both switch ports with same Vlan & HSRP between SVIs. Is there a way to suppress this?

Thanks

MS

MS

Well you wouldn't want to suppress it between the 2 SVI interfaces.

224.0.0.x addressing is difficult because even if you turn on IGMP snooping it has not effect on 224.0.0.x addressing. Also even if you tried to use an acl outbound on the SVI it wouldn't affect traffic generated by the device itself.

I suppose you could try vacl's which you may able to use to block the multicast going to the firewalls and hence via the IPS but i don't know for sure if that would work as i have never tried it.

Jon

Re: Suppressing 224.0.0.2 multicast from Core Switches

Thanks again Jon. I do not want to supress HSRP hellos between SVIs.  I will check on VACL.

Thanks

MS

4227
Views
0
Helpful
4
Replies
CreatePlease to create content