[c-nsp] securing a vrrp setup

bangky mailinglist at bangky.net
Fri Dec 28 07:10:56 EST 2007


Hi,

Thanks for replying to my question.

1)    Ah yes, it did slip my mind. Thanks for pointing this out.

3)    Thanks for the suggestion.

4)    Apologies if I phrased it wrongly but I didn't mean to refer to 
any running of a routing protocol.
       All I meant to ask was whether there is any way of preventing 
illegal VRRP updates from altering the topology of the network.
       (i.e. changing the default gateway)

Thank you for taking your time to reply to my query and have a nice day.
--
bangky
     

Joerg Mayer wrote:
> 1) It shouldn't be "more silent": Isn't there a syslog message/trap
>    indicating that someone else has become master?
> 2) Use IPSEC with AH (as the RFC proposes)
> 3) Use port/vlan ACLs preventing a user port/address from sending
>    VRRP packets.
> 4) Normally you don't use VRRP where you could use a routing protocol
>    instead - in the default gateway for end user machines is not a
>    scenario where you could (realistically) run a routing protocol,
>    so you are comparing apples with oranges here.
>
>     ciao
>         Joerg
>   
>



More information about the cisco-nsp mailing list