[nsp] HSRP multicast & switch ports
Tim Stevenson
tstevens at cisco.com
Wed Sep 3 12:04:55 EDT 2003
Sorry, no - IGMP snooping never constrains 224.0.0.x groups.
As for the original question, there is really no clean way to do this (prevent flooding of HSRP to all switch ports) right now.
Tim
At 10:55 AM 9/3/2003, cisco-nsp-request at puck.nether.net submitted:
>Date: Wed, 3 Sep 2003 17:40:27 +0200
>From: "Fernando Mayo" <fernando.mayo at acens.com>
>Subject: RE: [nsp] HSRP multicast & switch ports
>To: "'John Wong, Kok Seng'" <JohnWong at crimsonlogic.com>,
> <cisco-nsp at puck.nether.net>
>Message-ID: <007201c37231$b3660f00$1800040a at macorp.acens.priv>
>Content-Type: text/plain; charset="us-ascii"
>
>Hi,
>
>In a such a topology if you enable the "igmp snooping querier" feature in
>the VLAN, multicast packets will only be forwarded to the ports which have
>joins to that multicast group.
>
>IGMP snooping should also be enabled, but it is enabled by default.
>
>Regards,
>
>Fernando
>
>> -----Mensaje original-----
>> De: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net]En nombre de John Wong, Kok
>> Seng
>> Enviado el: miercoles, 03 de septiembre de 2003 10:15
>> Para: cisco-nsp at puck.nether.net
>> Asunto: RE: [nsp] HSRP multicast & switch ports
>>
>>
>> Steve,
>>
>> I was more concerned about the hosts connected to the
>> switchport being able to "see" the HSRP plaintext authentication
>> rather than performance. I think MD5 authentication for
>> HSRP is not available for MSFCs yet. Imagine if a compromised
>> host were to set a higher priorty, grab all the traffic and
>> basically just do some MITM attacks/sniffing... not nice at all...
>>
>> Thanks.
>>
>>
>> > -----Original Message-----
>> > From: Steve Francis [mailto:steve at expertcity.com]
>> > Sent: Wednesday, September 03, 2003 3:09 PM
>> > To: John Wong, Kok Seng
>> > Cc: cisco-nsp at puck.nether.net
>> > Subject: Re: [nsp] HSRP multicast & switch ports
>> >
>> >
>> > John Wong, Kok Seng wrote:
>> >
>> > >Hi all,
>> > >
>> > >Sorry if this is an FAQ listed somewhere i couldn't find...
>> > >
>> > >How do we prevent HSRP multicasts (224.0.0.2) being flooded
>> > >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
>> > >and we're seeing the HSRP multicast packets on all the ports
>> > >in the HSRP VLAN connected to the switch.
>> > >
>> > You don't. What if you attach a router that you want to
>> > participate in
>> > the HSRP group to one of those switch ports? How would it
>> > know not to be
>> > active w/o the multicasts?
>> >
>> > Two packets per 5 seconds (default), to a multicast group ( so most
>> > machines won't even get NIC interupts from them) is not
>> something I'd
>> > worry about.
>> >
>> > >
>> > >Thanks.
>> > >
>> > >_______________________________________________
>> > >cisco-nsp mailing list cisco-nsp at puck.nether.net
>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >
>> > >
>> >
>> >
>> >
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.
More information about the cisco-nsp
mailing list