HSRP disaster

18 09 2010

I’ve got a customer that has lots of VLANs on a pair of 6509s, each with an HSRP gateway that is in group 0. They also have a Firewall Services Module (FWSM) in there, operating in transparent mode – but I *think* this might be irrelevant.

What happened recently was that some goon put a server in the server VLAN with the IP address of the HSRP gateway. What seemed to happen was that the HSRP failed over – for ALL the VLANs, not just the one the server was in.

Is this normal, do you think? If all standbys use the same group number, do they all need to fail over if there’s a problem?

Odd thing was that the logs show one VLAN’s HSRP saying that (once the failover had happened) the active HSRP master had a different IP address from the one configured – the IP address was from another VLAN. Almost as though there was some leakage between VLANs at layer-2 maybe – the common virtual MAC address might have been recognised as being the other partner in the HSRP pair maybe?

Would welcome any thoughts.

We’re considering different HSRP groups, and maybe ARP inspection/ACLs to protect the gateway, but can’t make ARP ACLs work right now.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: