On Tue, November 20, 2007 2:27 pm, Mike Johnson wrote:
> Typically a HSRP VIP is utilized as the gateway for routing off a
> particular LAN segment. If you choose a HSRP member off the local LAN
> than you either already know how to route off network (perhaps you are
> running routed or gated) or you have proxy-arp enabled. In either case
> why do you need HSRP in the first place? This is a non standard approach
> to a high availability problem that potentially weakens your security
> posture.
The OP's talking about the other way around, where the VIP *is* in the LAN
subnet, but the physical LAN addresses of the two routers aren't.
Everything on the LAN can talk to the VIP with a simple ARP, and use it as
their default gateway, but they won't (necessarily) be able to see the
physical addresses.
I've seen people talk about it as security, in that you can't directly
reach the physical addresses from the LAN, but I don't put a lot of value
on that. The win is that you use two fewer addresses from the LAN subnet
- assuming that you have some reason to try and conserve addresses on that
subnet. Potentially, it also makes templating configs easier, as you
could use the same pair of (RFC1918?) addresses for the physical
interfaces on every site where you deploy HSRP, taking out one parameter
you have to pass around your service delivery process.
('Physical address' being the IP addressed assigned to the interface, to
distinguish from the HSRP VIP - not the MAC address, before anyone gets
confused.)
Regards,
Tim.
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
