I’ve got a customer that has lots of VLANs on a pair of 6509s, each with an HSRP gateway that is in group 0. They also have a Firewall Services Module (FWSM) in there, operating in transparent mode – but I *think* this might be irrelevant.
What happened recently was that some goon put a server in the server VLAN with the IP address of the HSRP gateway. What seemed to happen was that the HSRP failed over – for ALL the VLANs, not just the one the server was in.
Is this normal, do you think? If all standbys use the same group number, do they all need to fail over if there’s a problem?
Odd thing was that the logs show one VLAN’s HSRP saying that (once the failover had happened) the active HSRP master had a different IP address from the one configured – the IP address was from another VLAN. Almost as though there was some leakage between VLANs at layer-2 maybe – the common virtual MAC address might have been recognised as being the other partner in the HSRP pair maybe?
Would welcome any thoughts.
We’re considering different HSRP groups, and maybe ARP inspection/ACLs to protect the gateway, but can’t make ARP ACLs work right now.