[nsp] HSRP multicast & switch ports

Andrey Zimin horgi at mtu.ru
Thu Sep 4 02:08:26 EDT 2003 

hmm, good question.
possible 'block unknown multicast' can help.
possible MAC ACL.

I will try.

Good luck !
======================
 Andrey Zimin | AVZ7-RIPE
           MTU-Intel ISP
        Moscow, Russia
======================



----- Original Message ----- 
From: "John Wong, Kok Seng" <JohnWong at crimsonlogic.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, September 03, 2003 12:15 PM
Subject: RE: [nsp] HSRP multicast & switch ports


> Steve,
> 
> I was more concerned about the hosts connected to the
> switchport being able to "see" the HSRP plaintext authentication
> rather than performance. I think MD5 authentication for
> HSRP is not available for MSFCs yet. Imagine if a compromised
> host were to set a higher priorty, grab all the traffic and
> basically just do some MITM attacks/sniffing... not nice at all...
> 
> Thanks.
> 
> 
> > -----Original Message-----
> > From: Steve Francis [mailto:steve at expertcity.com] 
> > Sent: Wednesday, September 03, 2003 3:09 PM
> > To: John Wong, Kok Seng
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] HSRP multicast & switch ports
> > 
> > 
> > John Wong, Kok Seng wrote:
> > 
> > >Hi all,
> > >
> > >Sorry if this is an FAQ listed somewhere i couldn't find...
> > >
> > >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> > >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> > >and we're seeing the HSRP multicast packets on all the ports
> > >in the HSRP VLAN connected to the switch.
> > >
> > You don't.  What if you attach a router that you want to 
> > participate in 
> > the HSRP group to one of those switch ports? How would it 
> > know not to be 
> > active w/o the multicasts?
> > 
> > Two packets per 5 seconds (default), to a multicast group ( so most 
> > machines won't even get NIC interupts from them) is not something I'd 
> > worry about.
> > 
> > >
> > >Thanks.
> > >
> > >_______________________________________________
> > >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >  
> > >
> > 
> > 
> > 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list