[nsp] HSRP multicast & switch ports
John Wong, Kok Seng
JohnWong at crimsonlogic.com
Wed Sep 3 17:15:16 EDT 2003
Steve,
I was more concerned about the hosts connected to the
switchport being able to "see" the HSRP plaintext authentication
rather than performance. I think MD5 authentication for
HSRP is not available for MSFCs yet. Imagine if a compromised
host were to set a higher priorty, grab all the traffic and
basically just do some MITM attacks/sniffing... not nice at all...
Thanks.
> -----Original Message-----
> From: Steve Francis [mailto:steve at expertcity.com]
> Sent: Wednesday, September 03, 2003 3:09 PM
> To: John Wong, Kok Seng
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] HSRP multicast & switch ports
>
>
> John Wong, Kok Seng wrote:
>
> >Hi all,
> >
> >Sorry if this is an FAQ listed somewhere i couldn't find...
> >
> >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> >and we're seeing the HSRP multicast packets on all the ports
> >in the HSRP VLAN connected to the switch.
> >
> You don't. What if you attach a router that you want to
> participate in
> the HSRP group to one of those switch ports? How would it
> know not to be
> active w/o the multicasts?
>
> Two packets per 5 seconds (default), to a multicast group ( so most
> machines won't even get NIC interupts from them) is not something I'd
> worry about.
>
> >
> >Thanks.
> >
> >_______________________________________________
> >cisco-nsp mailing list cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
>
More information about the cisco-nsp
mailing list