[nsp] HSRP multicast & switch ports

David Sinn dsinn at microsoft.com
Wed Sep 3 12:30:29 EDT 2003


Actually IGMP snooping won't fix this.  HSRP is in the reserved systems
address space which IGMP doesn't filter and therefore doesn't put a
multicast CAM entry in for 01-00-e5-00-00-02.

You could have hacked something together using CGMP and CGMP leave's if
the 6500 supported CGMP.

I haven't played with RGMP, so I can't comment on that.

One way to solve this would be to add the above MAC address in as a
static multicast CAM entry for your routers and interconnect links. 

David

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ariel Brunetto
Sent: Wednesday, September 03, 2003 7:54 AM
To: cisco-nsp at puck.nether.net
Subject: RV: [nsp] HSRP multicast & switch ports

You can run IGMP snooping. CGMP is not supported on Catalyst 6500, but
you
can turn a CGMP Server in your Cat6500 MSFC to support CGMP clients.
IGMP
Snooping is another way to perform the same task, but it's cpu intensive
on
higher traffic lan segments.

RGMP is a new method to constraint the multicast traffic on a Catalyst
6500.
RGMP forward the multicast traffic to only those routers that are
configured
to receive it via Join/Leave messages. You must have PIM-SM running on
routers in order to RGMP works.

RGMP (where available):
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion
_guide_chapter09186a008007e6f8.html

IGMP Snooping:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura
tion
_guide_chapter09186a008007e705.html#1020353


Regards,

Ariel Brunetto


-----Mensaje original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]En nombre de John Wong, Kok
Seng
Enviado el: Miercoles, 03 de Septiembre de 2003 05:15 a.m.
Para: cisco-nsp at puck.nether.net
Asunto: RE: [nsp] HSRP multicast & switch ports


Steve,

I was more concerned about the hosts connected to the
switchport being able to "see" the HSRP plaintext authentication
rather than performance. I think MD5 authentication for
HSRP is not available for MSFCs yet. Imagine if a compromised
host were to set a higher priorty, grab all the traffic and
basically just do some MITM attacks/sniffing... not nice at all...

Thanks.


> -----Original Message-----
> From: Steve Francis [mailto:steve at expertcity.com]
> Sent: Wednesday, September 03, 2003 3:09 PM
> To: John Wong, Kok Seng
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] HSRP multicast & switch ports
>
>
> John Wong, Kok Seng wrote:
>
> >Hi all,
> >
> >Sorry if this is an FAQ listed somewhere i couldn't find...
> >
> >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> >and we're seeing the HSRP multicast packets on all the ports
> >in the HSRP VLAN connected to the switch.
> >
> You don't.  What if you attach a router that you want to
> participate in
> the HSRP group to one of those switch ports? How would it
> know not to be
> active w/o the multicasts?
>
> Two packets per 5 seconds (default), to a multicast group ( so most
> machines won't even get NIC interupts from them) is not something I'd
> worry about.
>
> >
> >Thanks.
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list