[nsp] HSRP multicast & switch ports

Tim Stevenson tstevens at cisco.com
Wed Sep 3 21:56:03 EDT 2003 

Don't think unknown multicast blocking affects the reserved range (224.0.0.x), but not positive.

MAC VACL won't work - you can't match IP traffic with a MAC VACL.

I think the best suggestion came in another post, to configure a static multicast mac table entry for the all-routers group MAC (0100.5e00.0002), to constrain flooding to the router ports only.

Tim

At 08:12 PM 9/3/2003, cisco-nsp-request at puck.nether.net submitted:
>Date: Thu, 4 Sep 2003 01:08:26 +0400
>From: "Andrey Zimin" <horgi at mtu.ru>
>Subject: Re: [nsp] HSRP multicast & switch ports
>To: <cisco-nsp at puck.nether.net>
>Message-ID: <06fa01c37260$25fc3b60$0f2722c3 at mtu.ru>
>Content-Type: text/plain;     charset="iso-8859-1"
>
>hmm, good question.
>possible 'block unknown multicast' can help.
>possible MAC ACL.
>
>I will try.
>
>Good luck !
>======================
> Andrey Zimin | AVZ7-RIPE
>           MTU-Intel ISP
>        Moscow, Russia
>======================
>
>
>
>----- Original Message ----- 
>From: "John Wong, Kok Seng" <JohnWong at crimsonlogic.com>
>To: <cisco-nsp at puck.nether.net>
>Sent: Wednesday, September 03, 2003 12:15 PM
>Subject: RE: [nsp] HSRP multicast & switch ports
>
>
>> Steve,
>> 
>> I was more concerned about the hosts connected to the
>> switchport being able to "see" the HSRP plaintext authentication
>> rather than performance. I think MD5 authentication for
>> HSRP is not available for MSFCs yet. Imagine if a compromised
>> host were to set a higher priorty, grab all the traffic and
>> basically just do some MITM attacks/sniffing... not nice at all...
>> 
>> Thanks.
>> 
>> 
>> > -----Original Message-----
>> > From: Steve Francis [mailto:steve at expertcity.com] 
>> > Sent: Wednesday, September 03, 2003 3:09 PM
>> > To: John Wong, Kok Seng
>> > Cc: cisco-nsp at puck.nether.net
>> > Subject: Re: [nsp] HSRP multicast & switch ports
>> > 
>> > 
>> > John Wong, Kok Seng wrote:
>> > 
>> > >Hi all,
>> > >
>> > >Sorry if this is an FAQ listed somewhere i couldn't find...
>> > >
>> > >How do we prevent HSRP multicasts (224.0.0.2) being flooded
>> > >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
>> > >and we're seeing the HSRP multicast packets on all the ports
>> > >in the HSRP VLAN connected to the switch.
>> > >
>> > You don't.  What if you attach a router that you want to 
>> > participate in 
>> > the HSRP group to one of those switch ports? How would it 
>> > know not to be 
>> > active w/o the multicasts?
>> > 
>> > Two packets per 5 seconds (default), to a multicast group ( so most 
>> > machines won't even get NIC interupts from them) is not something I'd 
>> > worry about.
>> > 
>> > >
>> > >Thanks.
>> > >
>> > >_______________________________________________
>> > >cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >  
>> > >
>> > 
>> > 
>> > 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 


Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.

More information about the cisco-nsp mailing list