Reset Search
 

 

Article

How to configure a Host Mobility ACL to Prevent unwanted host routes Being Populated in the Route Table

« Go Back

Information

 
TitleHow to configure a Host Mobility ACL to Prevent unwanted host routes Being Populated in the Route Table
Objective
How to configure a Host Mobility ACL to prevent unwanted host routes being added into the route table.
Environment
  • S-Series
  • K-Series
  • 7100-Series
  • All firmware versions
Procedure
Short background:
With VRRP Host Mobility enabled on an L3 interface, we will add a /32 route when we receive *any* packet destined for the VRRP MAC address of the interface (00-00-5e-00-01-xx).  That means if we have a host misconfigured in this VLAN with an invalid IP address, we would still add a route to the table, potentially poisoning the route table with an invalid route.  This has minimal impact in most cases, but has been seen to have disastrous impact when an important public IP address happens to find its way into the route table.  Because of this behavior, it is recommend to use a Host-Mobility ACL to only allow host routes with appropriate IP addresses to be added to the route table.

Procedure:
  • Create ACL that matches on desired subnet for VRRP Host-Mobility VLAN
router
config
ip access-list extended <acl-name>
permit ip <host-mobility-network> <wildcard-mask> any
exit
  • Configure Host Mobility ACL on the VLAN interface, referencing previously-defined <acl-name>
interface vlan.0.<vlan-id>
vrrp host-mobility-acl <vrid> <acl-name>
exit
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255