Allow HSRP on certain VLANs on Cisco OTV

I was working with a vendor and one of their requirements  was to split their two routers between the  two sites and enable HSRP. We are running OTV to extend layer 2 between the two sites. To avoid sub optimal switching and routing, I created filters to prevent HSRP peers to see each other between the two data centers. Allowing HSRP traffic across OTV is NOT Cisco best practices but there times that we have to do exceptions right? So how do you allow HSRP to cross OTV? Follow the three simple steps below to allow HSRP. You need to allow this to all your OTV instances.




Step 1. Do not add the VLAN in your VLAN filter list (VLAN 5 is the vlan we want to allow)

vlan filter HSRP_Localization vlan-list 2,3,4,7
 
Step 2. Do not add the VLAN in your arp inspection filter list (VLAN 5 is the vlan we want to allow)

ip arp inspection filter HSRP_VMAC_ARP vlan 2,3,4,7 

Notice that VLAN 5 is not included  meaning it will not be filtered.

Step 3. Identify the mac address of the HSRP you want to allow. You will most likely find this in the active router side since the standby router will not see the arp table for HSRP 1.1.1.1 because it still being filtered.


SiteA-Nexus#sh ip arp | inc 1.1.1.1
1.1.1.1    00:17:52  0000.0c07.ac05  Vlan5


Once you determine the mac address, add it to your route-map

mac-list OTV_HSRP seq 5 permit 0000.0c07.ac05 ffff.ffff.ffff
mac-list OTV_HSRP seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
mac-list OTV_HSRP seq 11 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list OTV_HSRP seq 15 deny 0100.5e00.0000 ffff.ffff.ff00
mac-list OTV_HSRP seq 20 permit 0000.0000.0000 0000.0000.0000
route-map OTV_HSRP_filter permit 10
  match mac-list OTV_HSRP

If you are wondering what is the ffff.ffff.ffff this is a wildcard to match all.