On Tue, 2007-11-20 at 09:27 -0500, Mike Johnson wrote: > Typically a HSRP VIP is utilized as the gateway for routing off a > particular LAN segment. If you choose a HSRP member off the local LAN > than you either already know how to route off network (perhaps you are > running routed or gated) or you have proxy-arp enabled. In either case > why do you need HSRP in the first place? This is a non standard > approach to a high availability problem that potentially weakens your > security posture.
Well, it's actually the other way around as Tim points out. In the example (10.0.0.1/24 as interface address 192.168.0.1 as standby address) the "actual" LAN is 192.168.0.0/24. So I'm not putting HSRP in another subnet, I'm putting the interface in another subnet. > If you need additional address space why not bring up a secondary IP > range on the VLAN and migrate to that? I understand using it > temporarily to fix a problem because of address exhaustion. The people who use the LAN can't see why they should migrate when I'm the one who needs extra addresses. The question is more general though. Why waste 2 addresses on every LAN when I could reserve some private space and take them from there? > I guess my question is, perhaps it works, but why would you?. Making > it work potentially creates other problems. In the end its all about > the layer 2 and layer 3 interaction. If you are ok with turning on > proxy-arp and the related security implications, go for it. The proxy arp would be if I'd use standby addresses not in the LAN net, but as mentioned it's the other way around. I don't see any security questions in this. There's neither more nor less security in one way or the other. On Tue, 2007-11-20 at 14:57 +0000, Tim Franklin wrote: > Potentially, it also makes templating configs easier, as you > could use the same pair of (RFC1918?) addresses for the physical > interfaces on every site where you deploy HSRP, taking out one > parameter you have to pass around your service delivery process. That's a nice argument in favor of using some standard addresses. :-) I got an off list reply directing attention to ARP problems. When the routers ARP cache timed out the clients wouldn't respond to ARP queries. If the router uses the interface address as source for ARP queries I can see a potential problem here. If that's the case, is there any way to make the router always use the VIP for ARP queries? Maybe it already does, haven't checked. :-) Regards, Peter Rathlev _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
