Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to secure hsrp

I'm testing the implementation of HSRP and VRRP, I would like to know how can I secure hrsp against this this type attack :

The 12.1.x IOS implementation of HSRP fails to check the IP address of the

phantom router against the IP address of the interface on which HSRP is

running when the IP is advertised from the remote host using IRPAS. This

results in a conflict over the IP address for the interface, bypassing

normal sanity checks.

An obvious DoS condition is created, since the phantom router can be

remotely given an IP address of a local interface through which packets

enter the Active router, thus leading to a loop.

The protocol is easily subverted by an active intruder on the LAN.

This can result in a packet black hole and a denial-of-service


Should I use IPSEC ? it is more secure to use VRRP instead of HSRP ?


Re: How to secure hsrp

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content