[nsp] HSRP multicast & switch ports

Fernando Mayo fernando.mayo at acens.com
Wed Sep 3 18:40:27 EDT 2003


Hi,

In a such a topology if you enable the "igmp snooping querier" feature in
the VLAN, multicast packets will only be forwarded to the ports which have
joins to that multicast group.

IGMP snooping should also be enabled, but it is enabled by default.

Regards,

Fernando

> -----Mensaje original-----
> De: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]En nombre de John Wong, Kok
> Seng
> Enviado el: miercoles, 03 de septiembre de 2003 10:15
> Para: cisco-nsp at puck.nether.net
> Asunto: RE: [nsp] HSRP multicast & switch ports
> 
> 
> Steve,
> 
> I was more concerned about the hosts connected to the
> switchport being able to "see" the HSRP plaintext authentication
> rather than performance. I think MD5 authentication for
> HSRP is not available for MSFCs yet. Imagine if a compromised
> host were to set a higher priorty, grab all the traffic and
> basically just do some MITM attacks/sniffing... not nice at all...
> 
> Thanks.
> 
> 
> > -----Original Message-----
> > From: Steve Francis [mailto:steve at expertcity.com] 
> > Sent: Wednesday, September 03, 2003 3:09 PM
> > To: John Wong, Kok Seng
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] HSRP multicast & switch ports
> > 
> > 
> > John Wong, Kok Seng wrote:
> > 
> > >Hi all,
> > >
> > >Sorry if this is an FAQ listed somewhere i couldn't find...
> > >
> > >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> > >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> > >and we're seeing the HSRP multicast packets on all the ports
> > >in the HSRP VLAN connected to the switch.
> > >
> > You don't.  What if you attach a router that you want to 
> > participate in 
> > the HSRP group to one of those switch ports? How would it 
> > know not to be 
> > active w/o the multicasts?
> > 
> > Two packets per 5 seconds (default), to a multicast group ( so most 
> > machines won't even get NIC interupts from them) is not 
> something I'd 
> > worry about.
> > 
> > >
> > >Thanks.
> > >
> > >_______________________________________________
> > >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >  
> > >
> > 
> > 
> > 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list