Typically a HSRP VIP is utilized as the gateway for routing off a particular LAN segment. If you choose a HSRP member off the local LAN than you either already know how to route off network (perhaps you are running routed or gated) or you have proxy-arp enabled. In either case why do you need HSRP in the first place? This is a non standard approach to a high availability problem that potentially weakens your security posture.
If you need additional address space why not bring up a secondary IP range on the VLAN and migrate to that? I understand using it temporarily to fix a problem because of address exhaustion. I guess my question is, perhaps it works, but why would you?. Making it work potentially creates other problems. In the end its all about the layer 2 and layer 3 interaction. If you are ok with turning on proxy-arp and the related security implications, go for it. harbor235 On 11/20/07, Peter Rathlev <[EMAIL PROTECTED]> wrote: > > On Tue, 2007-11-20 at 06:42 -0500, Paul Stewart wrote: > > I asked this question last year at some point.... I was told by many > > that it's a bad idea, but I did have a few people chime in to say they > > had done it with great success... > > > > This doesn't answer your question but if you have a chance give it a > > try is what I'd say. We thought in our HSRP setup we would have to > > have the IP's in different subnets but ended up working just fine in > > an existing subnet so never actually had a chance to try it the other > > way.. > > Yes, we have it running a few places with no problems, apart from the > already mentioned, so I guess regular reasoning is the key here. > > On Tue, 2007-11-20 at 11:43 +0000, Tim Franklin wrote: > > You lose the diagnostic ability to ping / check arp / etc explicitly to > > the primary or secondary box. If that's not important to you, it does > > save burning a couple of addresses from the customer-facing LAN subnet. > > Not optimal about diagnostics, no, but it's exactly because the > customer doesn't want us to use "his" addresses. We can let them > decide, and tell them that it may be a little more comples to > troubleshoot. > > Thanks for the input, now I have a little more to continue with. :-) > > Regards, > Peter Rathlev > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
