Re: HSRP filtering on access switch

jeremytetart · ‎05-19-2018

Hello guys,

Currently, each user's port on an access switch receive HSRP frame and for best security we would like to filter/block HSRP packet.

Is it possible ?

In attachment an architecture example.

Thank in advance.

Reza Sharifi · ‎05-19-2018

Hi,

Not sure how that is possible. Also, that is not usually a security concern and does not get flapped by the security team.

HTH

jeremytetart · ‎05-20-2018

What are you talking about ???? "that is not usually a security concern"

Please read these articles "in French"

https://www.cert.ssi.gouv.fr/avis/CERTA-2001-AVI-052/

and search on google.com, HSRP attack.

https://isc.sans.edu/forums/diary/Network+Reliability+Part+2+HSRP+Attacks+and+Defenses/10120/

Or this other post:

https://supportforums.cisco.com/t5/other-network-infrastructure/hsrp-rfc-2281-cms-2950t-24/td-p/337005

Dennis Mink · ‎05-20-2018

If you really wanted you can block multicasting out the port, because that is what HSRP uses. however, you do not want to block all multicast traffic most likely there is legit multicast traffic that you do not want to block. you might need to spin up wireshark and check what mac address is being used and block that. but really i wouldnt worry about it.

Please remember to rate useful posts, by clicking on the stars below.

jeremytetart · ‎05-21-2018

Hello Denis,

I thinking make an acl on each access port but I can't on Cisco 2960s.

There is not command Ip access-group <> out with the 15.0(2)SE11 IOS.

Regards.