It's not the best solution but if you're really worried you could create an
access-list (see configs below). HSRP uses UDP port 1985 and the destination
address is to all routers (224.0.0.2). Perfect solution? No. Better than
nothing? Yes.
Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
[EMAIL PROTECTED]
(925) 260-2724
!
hostname R1
interface Ethernet 0
ip address 192.168.1.1 255.255.255.0
standby ip 192.168.1.254
standby authentication c!sc0b2b
access-group 100 in
!
access-list 100 permit udp host 192.168.1.2 eq 1985 host 224.0.0.2 eq 1985
access-list 100 deny udp any eq 1985 any eq 1985
access-list 100 permit ip any any
!
hostname R2
!
interface Ethernet 0
ip address 192.168.1.2 255.255.255.0
standby ip 192.168.1.254
standby authentication c!sc0b2b
access-group 100 in
!
access-list 100 permit udp host 192.168.1.1 eq 1985 host 224.0.0.2 eq 1985
access-list 100 deny udp any eq 1985 any eq 1985
access-list 100 permit ip any any
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jacques Atlas
> Sent: Monday, May 07, 2001 11:10 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> On Tue, 8 May 2001, Curtis Call wrote:
>
> |In other words always use authentication.
>
> i dont think the authentication in clear text is going to help,
> the solution from the vendor is to run HSRP with IPSec.
>
> --
> jacques
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3566&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
