05-19-2018 07:47 AM - edited 03-08-2019 03:04 PM
Hello guys,
Currently, each user's port on an access switch receive HSRP frame and for best security we would like to filter/block HSRP packet.
Is it possible ?
In attachment an architecture example.
Thank in advance.
05-19-2018 01:07 PM
Hi,
Not sure how that is possible. Also, that is not usually a security concern and does not get flapped by the security team.
HTH
05-20-2018 12:54 AM
What are you talking about ???? "that is not usually a security concern"
Please read these articles "in French"
https://www.cert.ssi.gouv.fr/avis/CERTA-2001-AVI-052/
and search on google.com, HSRP attack.
https://isc.sans.edu/forums/diary/Network+Reliability+Part+2+HSRP+Attacks+and+Defenses/10120/
Or this other post:
05-20-2018 04:23 AM
If you really wanted you can block multicasting out the port, because that is what HSRP uses. however, you do not want to block all multicast traffic most likely there is legit multicast traffic that you do not want to block. you might need to spin up wireshark and check what mac address is being used and block that. but really i wouldnt worry about it.
05-21-2018 02:28 AM
Hello Denis,
I thinking make an acl on each access port but I can't on Cisco 2960s.
There is not command Ip access-group <> out with the 15.0(2)SE11 IOS.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide