At 11:23 AM 6/10/01, Rashid Lohiya wrote:
>Guys,
>
>I need confirmation of a HSRP design.
>
>I have 2 x Routers configured for HSRP on a LAN.
>
>A packet is sent from a Firewall on the LAN to the HSRP virtual address, as
>the (default gateway).
>The packet reaches the active router, (highest priority).
>It compares the packets destination address/subnet in its routing table.
>
>A). Will it send the packet back on the LAN, (to the standby routers real
>LAN interface address), if it finds that the standby router has a shorter
>route to the destination, than itself?
Yes. In some cases the standby may have the only route to the destination.
The active may not be able to get there, so it must send the packet to the
other router.
>Or
>B). Will it ignore that fact and shoot it accross its own WAN link
>regardless.
>I haven't had time to lab this just yet, but I'm quite sure the answer
>should be A.
>
>2nd query is I understand that ICMP redirect is switched off by default if
>HSRP is used, even if I was to switch this on, I was wondering if a standard
>firewall would actually take notice of the redirect and send the next packet
>to the router with the shorter path as advised by the ICMP redirect, rather
>than to the statically set default gateway, pointing to the virtual HSRP
>address.
A firewall would probably pay attention to ICMP redirects, but you would
have to test. Some operating systems don't pay attention even though they
claim to.
ICMP redirects are turned off because they could cause a host to learn the
real address of a gateway, meaning the host would not use the HSRP address.
If the real gateway died, the host wouldn't take advantage of HSRP.
Cisco now has a new feature that lets you use ICMP redirects but in a
smarter fashion. The router checks ICMP redirects and replaces the gateway
address that is recommended in the packet with a corresponding virtual HSRP
address. If the gateway address that is recommended in the packet is not
one that is participating in HSRP, the router just lets the ICMP redirect
go through untouched. It's a strange feature, but it could help in complex
networks that have some HSRP and some non-HSRP routers (probably not your
case).
Priscilla
>Regards,
>
>Rashid Lohiya
>[EMAIL PROTECTED]
>020 8509 2990
>07785 362626
>www.pioneer-computers.com
>London UK
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7924&t=7879
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
