[nsp] HSRP multicast & switch ports

John Wong, Kok Seng JohnWong at crimsonlogic.com
Thu Sep 4 11:56:04 EDT 2003


Hi all,

Based on the feedbacks i've received (thanks to all who've
replied), here's a summary :-

- IGMP snooping won't filter HSRP Multicasts. So no point
enabling IGMP snooping on the switch for this.
RGMP and CGMP might work but its only speculations. But
assuming these work, a host on the VLAN can just "join"
the HSRP Multicast group and still be able to view HSRP
packets right?

- HSRP over IPSec. Revolutionary... but have anyone actually
done this?

- VLAN ACL. Prevent hosts from sending to 224.0.0.2. Will
solve the problem (i think). Hosts still see the HSRP packets,
so might as well disable authentication for HSRP.

Thanks to all for the enlightenment....



> -----Original Message-----
> From: David Sinn [mailto:dsinn at microsoft.com] 
> Sent: Thursday, September 04, 2003 2:30 AM
> To: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] HSRP multicast & switch ports
> 
> 
> Actually IGMP snooping won't fix this.  HSRP is in the 
> reserved systems
> address space which IGMP doesn't filter and therefore doesn't put a
> multicast CAM entry in for 01-00-e5-00-00-02.
> 
> You could have hacked something together using CGMP and CGMP 
> leave's if
> the 6500 supported CGMP.
> 
> I haven't played with RGMP, so I can't comment on that.
> 
> One way to solve this would be to add the above MAC address in as a
> static multicast CAM entry for your routers and interconnect links. 
> 
> David
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ariel Brunetto
> Sent: Wednesday, September 03, 2003 7:54 AM
> To: cisco-nsp at puck.nether.net
> Subject: RV: [nsp] HSRP multicast & switch ports
> 
> You can run IGMP snooping. CGMP is not supported on Catalyst 6500, but
> you
> can turn a CGMP Server in your Cat6500 MSFC to support CGMP clients.
> IGMP
> Snooping is another way to perform the same task, but it's 
> cpu intensive
> on
> higher traffic lan segments.
> 
> RGMP is a new method to constraint the multicast traffic on a Catalyst
> 6500.
> RGMP forward the multicast traffic to only those routers that are
> configured
> to receive it via Join/Leave messages. You must have PIM-SM running on
> routers in order to RGMP works.
> 
> RGMP (where available):
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _configura
> tion
> _guide_chapter09186a008007e6f8.html
> 
> IGMP Snooping:
> http://www.cisco.com/en/US/products/hw/switches/ps708/products
> _configura
> tion
> _guide_chapter09186a008007e705.html#1020353
> 
> 
> Regards,
> 
> Ariel Brunetto
> 
> 
> -----Mensaje original-----
> De: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]En nombre de John Wong, Kok
> Seng
> Enviado el: Miercoles, 03 de Septiembre de 2003 05:15 a.m.
> Para: cisco-nsp at puck.nether.net
> Asunto: RE: [nsp] HSRP multicast & switch ports
> 
> 
> Steve,
> 
> I was more concerned about the hosts connected to the
> switchport being able to "see" the HSRP plaintext authentication
> rather than performance. I think MD5 authentication for
> HSRP is not available for MSFCs yet. Imagine if a compromised
> host were to set a higher priorty, grab all the traffic and
> basically just do some MITM attacks/sniffing... not nice at all...
> 
> Thanks.
> 
> 
> > -----Original Message-----
> > From: Steve Francis [mailto:steve at expertcity.com]
> > Sent: Wednesday, September 03, 2003 3:09 PM
> > To: John Wong, Kok Seng
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [nsp] HSRP multicast & switch ports
> >
> >
> > John Wong, Kok Seng wrote:
> >
> > >Hi all,
> > >
> > >Sorry if this is an FAQ listed somewhere i couldn't find...
> > >
> > >How do we prevent HSRP multicasts (224.0.0.2) being flooded
> > >out ALL switch ports? We're running HSRP on Cat6500 MSFCs
> > >and we're seeing the HSRP multicast packets on all the ports
> > >in the HSRP VLAN connected to the switch.
> > >
> > You don't.  What if you attach a router that you want to
> > participate in
> > the HSRP group to one of those switch ports? How would it
> > know not to be
> > active w/o the multicasts?
> >
> > Two packets per 5 seconds (default), to a multicast group ( so most
> > machines won't even get NIC interupts from them) is not 
> something I'd
> > worry about.
> >
> > >
> > >Thanks.
> > >
> > >_______________________________________________
> > >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> >
> >
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list