[nsp] HSRP multicast & switch ports

Steve Francis steve at expertcity.com
Wed Sep 3 12:45:58 EDT 2003


John Wong, Kok Seng wrote:

>Steve,
>
>I was more concerned about the hosts connected to the
>switchport being able to "see" the HSRP plaintext authentication
>rather than performance. I think MD5 authentication for
>HSRP is not available for MSFCs yet. Imagine if a compromised
>host were to set a higher priorty, grab all the traffic and
>basically just do some MITM attacks/sniffing... not nice at all...
>
Oh, well if its security from locally attached machines that you don't 
trust, then that's a different issue.
As well as private vlans, MAC level security, rate limiting of ARP 
requests, etc, you need HSRP over IPSec.
see http://www.cisco.com/networkers/nw00/pres/2402.pdf
You could also just apply a vlan acl denying all traffic to 224.0.0.2, 
excepting the routers, and apply it to your host vlan. (Beware tcam 
count issues if you have both IOS and VLAN acls applied).

>
>Thanks.
>
>
>  
>
>>-----Original Message-----
>>From: Steve Francis [mailto:steve at expertcity.com] 
>>Sent: Wednesday, September 03, 2003 3:09 PM
>>To: John Wong, Kok Seng
>>Cc: cisco-nsp at puck.nether.net
>>Subject: Re: [nsp] HSRP multicast & switch ports
>>
>>
>>John Wong, Kok Seng wrote:
>>
>>    
>>
>>>Hi all,
>>>
>>>Sorry if this is an FAQ listed somewhere i couldn't find...
>>>
>>>How do we prevent HSRP multicasts (224.0.0.2) being flooded
>>>out ALL switch ports? We're running HSRP on Cat6500 MSFCs
>>>and we're seeing the HSRP multicast packets on all the ports
>>>in the HSRP VLAN connected to the switch.
>>>
>>>      
>>>
>>You don't.  What if you attach a router that you want to 
>>participate in 
>>the HSRP group to one of those switch ports? How would it 
>>know not to be 
>>active w/o the multicasts?
>>
>>Two packets per 5 seconds (default), to a multicast group ( so most 
>>machines won't even get NIC interupts from them) is not something I'd 
>>worry about.
>>
>>    
>>
>>>Thanks.
>>>
>>>_______________________________________________
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>>>
>>>      
>>>
>>
>>    
>>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>




More information about the cisco-nsp mailing list