[nsp] HSRP multicast & switch ports

John Wong, Kok Seng JohnWong at crimsonlogic.com
Wed Sep 3 17:15:16 EDT 2003


Steve,

I was more concerned about the hosts connected to the
switchport being able to "see" the HSRP plaintext authentication
rather than performance. I think MD5 authentication for
HSRP is not available for MSFCs yet. Imagine if a compromised
host were to set a higher priorty, grab all the traffic and
basically just do some MITM attacks/sniffing... not nice at all...

Thanks.


> -----Original Message-----
> From: Steve Francis [mailto:steve at expertcity.com] 
> Sent: Wednesday, September 03, 2003 3:09 PM
> To: John Wong, Kok Seng
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] HSRP multicast & switch ports
> 
> 
> John Wong, Kok Seng wrote:
> 
> >Hi all,
> >
> >Sorry if this is an FAQ listed somewhere i couldn't find...
> >
> >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> >and we're seeing the HSRP multicast packets on all the ports
> >in the HSRP VLAN connected to the switch.
> >
> You don't.  What if you attach a router that you want to 
> participate in 
> the HSRP group to one of those switch ports? How would it 
> know not to be 
> active w/o the multicasts?
> 
> Two packets per 5 seconds (default), to a multicast group ( so most 
> machines won't even get NIC interupts from them) is not something I'd 
> worry about.
> 
> >
> >Thanks.
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >  
> >
> 
> 
> 



More information about the cisco-nsp mailing list