RE: two vrrp questions

From: Scott Vermillion (scott_ccie_list@it-ag.com)
Date: Sat Jan 03 2009 - 16:32:46 ARST

• Next message: Wouter Prins: "Re: two vrrp questions"
• Previous message: kang lee: "disable mls qos on interface level"
• Maybe in reply to: Wouter Prins: "two vrrp questions"
• Next in thread: Wouter Prins: "Re: two vrrp questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Wouter,

We get so caught up in Cisco documentation and vendor training material, we
sometimes forget about RFCs!

In answer to question one, from RFC 3768:

"7.3. Virtual Router MAC Address

The virtual router MAC address associated with a virtual router is an IEEE
802 MAC Address in the following format:

00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)

The first three octets are derived from the IANA's OUI. The next two octets
(00-01) indicate the address block assigned to the VRRP protocol. {VRID} is
the VRRP Virtual Router Identifier. This mapping provides for up to 255
VRRP routers on a network."

In answer to question 2, it's a security feature:

"Independent of any authentication type VRRP includes a mechanism (setting
TTL=255, checking on receipt) that protects against VRRP packets being
injected from another remote network. This limits most vulnerabilities to
local attacks."

What this is saying is that if VRRP routers were to merely validate that TTL
was "1" inbound, then somebody n hops away could initialize TTL such that it
was 1 inbound when it reached the target of the attack. Whereas if VRRP
routers are configured to look for "255" inbound, then an attacker would
somehow have to figure out how to get intermediate routers to not decrement
TTL, which seems fairly unlikely!

Regards,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Wouter Prins
Sent: Saturday, January 03, 2009 4:35 AM
To: Cisco certification
Subject: two vrrp questions

hi group,

I was wondering the following, and hope someone can clarify it a bit
more for me. :)

1.) VRRP uses multicast group 224.0.0.18 and has a mac-address of
00:00:5e:00:01:<vrid> (I/G bit to zero, so a unicast mac-address).
What i know is that when converting a multicast ip to a mac-address
you should map it the following way: and add: 01:00:5e<23 bits here>,
why hasnt this been done with VRRP?
2.) VRRP uses 224.0.0.18 which is a link local group, why does it send
the packets with a TTL of 255 if this range isnt supposed to be routed
anyway?

Thanks,
Wouter

Blogs and organic groups at http://www.ccie.net

• Next message: Wouter Prins: "Re: two vrrp questions"
• Previous message: kang lee: "disable mls qos on interface level"
• Maybe in reply to: Wouter Prins: "two vrrp questions"
• Next in thread: Wouter Prins: "Re: two vrrp questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST