cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

348
Views
5
Helpful
5
Replies
Highlighted
Beginner

Stop HSRP messages from being sent to hosts

Hi all,

 

I have HSRP running on a VLAN and also DHCP issuing the default gateway as the standby ip address.  Basic security measure of HSRP authentication is enabled too so no one can hijack the HSRP session unless (the obvious) someone guesses/breaks the key.

 

So, my question is...Is it possible to stop the multicast hsrp traffic from being sent out of interfaces connected to hosts? 

Everyone's tags (1)
5 REPLIES 5
Hall of Fame Cisco Employee

Hi Dan,So, my question is..

Hi Dan,

So, my question is...Is it possible to stop the multicast hsrp traffic from being sent out of interfaces connected to hosts? 

I am not aware of any way of stopping the flood of HSRP traffic to end hosts - honestly, I do not believe there is any.

You apparently want to do this because of security reasons. Let me tell you - the entire authentication in HSRP is useless. It can prevent accepting HSRP messages from a foreign router or a host, but it can not prevent that router or host from owning the standby IP address, which is what you wanted to prevent in the first place. In fact, if you misconfigure authentication between your legit routers, or if a foreign router not knowing the proper password is connected to the network, you will have multiple Active routers, each of them claiming the same standby IP address. The authentication only worsened the situation here. And why would someone even go into such lengths to start HSRP on his foreign device when he/she could simply statically configure the standby IP address on that device, anyway - or resort to ARP Spoofing?

So you see, there is really no value in HSRP authentication. In fact, this is why recent VRRP RFCs have dropped the support for authentication altogether (see RFC 5798 Section 9 for the discussion on this).

Best regards,
Peter

Beginner

Hi Peter, Many thanks for

Hi Peter,

 

Many thanks for your reply - an interesting read!  I have configured the ports on the switch residing in the vlan as switchport protected as well, so they cant communicate between themselves.

ARP spoofing is something I started to tinker with after I made the original post and seems like it'll do the trick!

Contributor

IGMP snooping

IGMP snooping

Hall of Fame Cisco Employee

Hi Peter,Unfortunately, no,

Hi Peter,

Unfortunately, no, IGMP Snooping won't help here. HSRP messages are sent to 224.0.0.2, and this address along with the entire link-local multicast scope 224.0.0.0/24 is exempted from IGMP Snooping. Messages sent to these addresses will always be flooded, regardless of IGMP Snooping.

Best regards,
Peter

Contributor

yes, i wanted to delete my

yes, i wanted to delete my post one minute after posting (-:

CreatePlease to create content
Content for Community-Ad