cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
3
Replies

HSRP MAC migration

hclisschennai
Level 1
Level 1

Hi,

I need a idea from your expertise.

For example Switch-A is active

Switch-B is standby

Switch-C connects these two switches and Hosts

When HSRP is configured, as soon as the Active switch / its link goes down, the active MAC is been taken over by Standby switch. Hope i am correct

During this transition period, MAC address of Switch-A will be learnt in fa 0/1 port of Switch-C. When Switch-A is down the MAC address is moved to Switch-B. But the mac address table of Switch-C still Points to fa0/1. After the aging only it will be moved to fa 0/2 where Switch-B is connected.

Hope i understood the concept in right way. How this actually works?

R.B.Kumar

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello R.B. Kumar,

good note I had the same thoughts when I first studied HSRP.

The device taking the role of HSRP Active sends a gratuitos ARP and doing so it refreshes the CAM table of switches in the middle otherwise HSRP would be useless in a switched environment.

So they now know that VIP MAC is now on port fas0/2

I did tests on this that confirmed this behaviour in the past.

you can use

sh mac-address-table interface fas0/1

sh mac-address-table interface fas0/2

before and after switchover

Hope to help

Giuseppe

Hi Giuseppe,

Thanks for your comment.

While getting this concept, suddenly i have another thought, perhaps it is very basic.

What will happen if host-A with MAC 00:00:00:00:00:01 is connected in Fa0/1 and Host-B(Attacker) connects his laptop configured with same MAC in fa 0/2 and send gratious ARP. I know it may result in duplicate error message. But whether it will erase the CAM entry of Fa0/1 ? and Host-B MAC will be entered?

R.B.Kumar

Hello R.B Kumar,

yes the last overrides if this happens multiple times error messages about too many moves of MAC xx or MAC address flapping between ports Y and Z appear.

Most of MAC attacks are done to fill the CAM table with a brute force attack:

frames with a random source mac addresses are sent in an attempt to fill the CAM.

if the CAM is full the switch will behave like an hub and attacker can perform man in the middle attacks.

port security can protect from this type of attack

Then, there are more intelligent attacks that use gratuitos ARP to setup a man in the middle scenario to protect from this type of attack DAI dynamic arp inspection with other features like ip source guard and DHCP snooping can be used.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco