Thanks, Erick.
It seems that you have basically said,
"Yes, UDP forwarding is not part of HSRP."
But you also apparently agree that there is no technical reason why this
must be true :)
>Maybe they need to add a feature, like standby helper or something so
>when HSRP is being used it will only forward UDP broadcast traffic on
>the device that has the HSRP IP active.
>Example: if such a feature existed, then you wouldn't use ip-helper on
>HSRP interfaces - you would use standby-helper if you just wanted UDP
>forwarded on device with active HSRP IP address.
ISTM that it would be easy to simply add a command like
[no] standby-helper
Everything else, including "ip-helper" is the same, and this flag simply
tells a router in standby or monitor mode not to forward, but when in
primary mode to do so.
I guess the effort is not worth the gain. UDP's being an unreliable and
connection-less transport requires the protocols to be robust enough to
handle the duplicate packets.
The problem arising from this duplicate forwarding with DHCP occurs when
the 2nd DHCPDISCOVER is delayed enough so that the client has already
received its lease and IP address in response to the 1st DHCPDISCOVER.
When the server sees the 2nd DHCPDISCOVER, it will try to give the same
address again. But, prior to doing so, it MAY (RFC2131) ping the
address to see whether it's in use. Well, the client will respond,
because it just got the IP address :) The server will then try to give
another IP address and abandon the first lease.
Of course, that's a contrived and highly unlikely case -- the packet
would probably never be delayed that long, but it just came to my mind
when thinking about this.
-------------------------------------------------
Tks | <mailto:[EMAIL PROTECTED]>
BV | <mailto:[EMAIL PROTECTED]>
Sr. Technical Consultant, SBM, A Gates/Arrow Co.
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
=================================================
-----Original Message-----
From: Erick B. [mailto:[EMAIL PROTECTED]]
Sent: Sunday, February 18, 2001 5:43 PM
To: Bob Vance; CISCO_GroupStudy List (E-mail)
Subject: Re: HSRP and UDP forwarding.
Look at this way. HSRP (and VRRP) share a virtual IP
address among the devices participating. Hosts point
their default-gateway to this Virtual IP address. This
allows the hosts to still forward traffic when the
primary router/switch interface goes down and the
standby router/switch changes over to active. This is
the function of HSRP/VRRP - to provide a shared IP
address among multiple interfaces on the same network.
If the interface is in standby mode for HSRP then the
standby IP address isn't active on this interface, but
the primary IP is active and ip-helper, routing, and
all other IP features you have configured are active
unless the interface is down, etc.
Currently, there isn't a way to stop ip-helper from
forwarding when the HSRP address is in standby mode
since ip-helper isn't part of HSRP. Maybe they need to
add a feature, like standby helper or something so
when HSRP is being used it will only forward UDP
broadcast traffic on the device that has the HSRP IP
active. Example: if such a feature existed, then you
wouldn't use ip-helper on HSRP interfaces - you would
use standby-helper if you just wanted UDP forwarded on
device with active HSRP IP address.
The only way to get around forwarding UDP broadcasts
from both routers would to remove the ip-helper from
one of the interfaces. The problem here is when the
other interface goes down you're not going to forward
the UDP broadcasts anymore. The other solution would
to be make the DHCP server local so ip-helper wasn't
needed.
If you search on cisco.com for HSRP and IP-helper
you'll get a document on UDP Flooding which involves
bridge-groups and using spanning-tree to block.
Erick
--- Bob Vance <[EMAIL PROTECTED]> wrote:
> I was told this in another venue:
>
> >It is the nature of HSRP. Both routers listen to
> broadcast traffic.
> Both
> >routers are configured as a DHCP and BOOTP relay
> agent in order to get
> >redundancy. So all DHCP and BOOTP broadcast traffic
> is sent twice to
> the
> >central server.
>
> Is there some reason for this to be true?
> It does not seem right to me.
>
> My understanding is that, normally, HSRP does not
> depend on multiple
> routers in the group to forward traffic. The HSRP
> group appears as one
> router to the side where it is being redundant, with
> the primary router
> forwarding all traffic. The standby doesn't
> participate, except
> possibly
> on reply traffic
>
> I think that you would agree that it is not normal
> nor good (maybe not
> necessarily bad, but certainly not good :) for a
> router arbitrarily to
> send duplicate packets onto a subnet and this is, in
> effect, what would
> be happening here.
>
> In single-group HSRP mode, I can see no reason for
> this to be
> required --
> I would think that it would be sufficient for the
> UDP forwarding simply
> to follow the primary router.
>
> Multi-group HSRP seems to present some other
> possibilities/problems that
> I haven't explored in depth yet. One point is that
> it would appear that
> having MHSRP primary routers forwarding DHCP (at
> least the broadcasts)
> would require extraordinary configuration on the
> DHCP server. For
> example, if the clients are in the same subnet, then
> which default
> gateway should it send to the client? Thus, MHSRP
> *with* DHCP
> forwarding
> would seem to require, practically, multiple subnets
> and broadcast
> domains -- i.e., VLANs.
>
> Comments?
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
