[c-nsp] Too much HSRP traffic - how to limit?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Feb 27 15:10:35 EST 2007
A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Neal R wrote:
>>> I have some cat 3750 with 125ms hello/375ms hold time in a network
>>> with a lot of voice traffic. We like the fast failover we get with these
>>> times but we've got one sort of host that really whines about 32
>>> multicast packets/second. I've tried all sorts of methods to limit
>>> traffic destined for 224.0.0.2 on a couple of member ports of a
>>> particular vlan but I'm not coming up with an answer. Output policing?
>>> Not supported. The storm-control command limits *input* on ports. Access
>>> lists seem to be limited to the vlan interface themselves rather than
>>> the physical port.
>
> what you can do is use an ACL on your core switches that come from
> the routers etc to block this - ie stop it from getting further down
> to edge ports and edge switches. we have succesfully tested this
> in operation...things get sooo much quieter for tcpdump/wireshark
> etc so you can debug the problem you were initially looking at ;-)
>
> as a basic exmple...on the inbound port on a concentrator switch being
> fed from the router...
>
> ip access-group NOHSRP in
>
> ip access-list extended NOHSRP
> deny udp any host 224.0.0.2 eq 1985
> permit ip any any
>
>
> alan
Point to note (I'm sure you know this); if the topology is:
routerA --- routerB
\ /
\ X STP blocking
\ /
switch
...and the routerA-routerB link fails, then the ACL should not be on the
switch ports facing the routers else the HSRP nodes will both go active.
I would prefer outbound acls on the front-panel ports of "switch"
personally - sadly our current kit lacks in that respect, so the BFD for
HSRP interests me greatly. Combined with the HSRP "follow" groups also
in 12.4T it has the potential to make a reasonable FHRP.
Nice one Cisco. Shame it took you over a decade. Now lets have those in
12.2(33)SXH please.
More information about the cisco-nsp
mailing list