Sunday 17 August 2014

HSRP filtering in OTV

While using OTV we need to pay additional attention to the HSRP. As a best practice we don't use the same HSRP VIP between the DCs. Each DCs should have their own HSRP pair and VIPs.

Since OTV doesn't block to the HSRP hello packet and mac learning by default. We need to block the traffic manually by applying the below access lists.

A. VLAN FILTER

(i) Create access-list for all traffic
       ip access-list ALL_IPs
       10 permit ip any any

(ii) Create access-list to match HSRP hello packet.

       ip access-list HSRP_IP
       10 permit udp any 224.0.0.2/32 eq 1985 --<<<<<HSRP ver1
       20 permit udp any 224.0.0.102/32 eq 1985----<<<<HSRP ver 2

(iii) Create mac access-list to allow all mac address

        mac access-list ALL_MACs
        10 permit any any

 (iv) Create mac access list to match HSRP hello packet.
        mac access-list HSRP_MAC
        10 permit 0000.0c07.ac00 0000.0000.00ff any --<<<<HSRP ver 1
        20 permit 0000.0c9f.f000 0000.0000.0fff any---<<<<HSRP ver 2

 (v) Create vlan access-map to block HSRP hello packet.

         vlan access-map BLOCK_HSRP 10
         match mac address HSRP_MAC
         match ip address HSRP_IP
         action drop

         vlan access-map  BLOCK_HSRP 20
         match mac address ALL_MACs
         match ip address ALL_IPs
         action forward

 (vi) Apply vlan filer

         vlan filter  BLOCK_HSRP vlan-list 90

B.  ARP INSPECTION FILTER :-

(i ) Enable DHCP feature

              feature dhcp

 (ii) Create Arp access-list 

          arp access-list HSRP_MAC_ARP
         10 deny ip any mac 0000.0c07.ac00 ffff.ffff.ff00
         20 deny ip any mac 0000.0c9f.f000 ffff.ffff.f000
         30 permit ip any mac any

(iii) Apply ARP inspection filter

          ip arp inspection filter HSRP_MAC_ARP vlan 90


C.  MAC-LIST FILTERING

(i) Create mac-list to block HSRP hello packets

   mac-list OTV_HSRP_BLOCK seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
  mac-list OTV_HSRP_BLOCK seq 11 deny 0000.0c9f.f000 ffff.ffff.f000
 mac-list OTV_HSRP_BLOCK seq 20 permit 0000.0000.0000 0000.0000.0000

 (ii) Create route-map to block hello packet and call mac-list created above in it.

        route-map RESTRICT_HSRP permit 10
         match mac-list OTV_HSRP_BLOCK

(iv) Apply route-map to vpn overlay.

             otv-isis default
             vpn Overlay1 ---<< Overlay interface created in OTV VDC
               redistribute filter route-map RESTRICT_HSRP

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)