[c-nsp] HSRP MD5 Authentication and 12.2(18)SX*

Rubens Kuhl Jr. rubensk at gmail.com
Thu Apr 20 09:07:37 EDT 2006


> Regardless of whether you run port level MAC security, or private vlans
> etc, anyone on the subnet can hose the next hop.  The fact that the
> situation could be avoided by using any auth scheme that wasn't a
> throw-back from the 1980's makes this just one more problem we
> shouldn't have to worry about anymore.  Yes, there are still others,
> but this one should be history by now.

If you also do ARP ACLs, you get a group of virtual + real MACs
locked-in to a group of uplink ports, and a group of virtual +real
default gateway addresses locked-in to those MACs.

The customer telling you what the HSRP password is can be addressed by
putting a simple "vlan327" password, which IMHO gives you the real
benefit of HSRP and VRRP passwords: fault isolation. I really don't
think that I prevented wrongdoing by setting an obscure HSRP password,
but on countless times that prevented failures to propagate.


Rubens



More information about the cisco-nsp mailing list