Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
4
Replies

HSRP and ICMP Redirects

baldy
Level 1
Level 1

‎07-26-2004 07:55 AM - edited ‎03-02-2019 05:18 PM

In the HSRP RFC, 2281 it states -

"6.3 ICMP Redirect

While running HSRP, it is important to prevent the host from discovering the primary MAC addresses of the routers in its standby group. Thus, any protocol that informs a host of a router's primary

address should be disabled. Thus, routers participating in HSRP on an interface MUST NOT send ICMP redirects on that interface."

I've been playing with this on the bench and don't seem to have any problems with redirects enabled.

The only way you can get a host to learn the real address of an HSRP group member is if your DG is set for the real address of another member which doesn't have the best route.... but then HSRP is broken for that host anyway.

As long as your DG's are correct, a member of the HSRP groups never appears to send Redirects.

If you introduce a third non-member router and get the HSRP pair to redirect you to it, again no problem as the host is learning the address of the stand alone router not the HSRP member.

The only problem I can produce is if you use the non-member as DG and get redirected to a network via the members. This way a host ends up with an HSRP members real address as the redirect is the result of a route table lookup.

But this hypothetical third router is NOT participating in HSRP only in the routing protocol and so is not covered by the caveat above.

So it seems to me that this statement is wrong, or at least incomplete.

can anyone point out the (almost inevitable :-) flaw in my logic.

Thanks

Baldy

Labels:
0 Helpful
4 Replies 4

baldy
Level 1
Level 1

‎07-30-2004 03:08 AM

Everybody feel free to join in!

Baldy

0 Helpful

a.awan
Level 4
Level 4
In response to baldy

‎07-30-2004 08:07 AM

The RFC states that HSRP enabled routers should not send ICMP redirects, isnt that what is happening even if you enable icmp redirect feature on the interface configured for HSRP?

Secondly, cisco has added support for ICMP redirects with HSRP as stated in the article:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a00800e9763.html#xtocid1

This might render the statement in the RFC outdated but i am sure there are lots of outdated RFCs out there :-)

0 Helpful

baldy
Level 1
Level 1
In response to a.awan

‎08-31-2004 06:58 AM

Thats cool, so the reason I couldn't produce a fault is that Cisco have already added this feature that takes care of it! Standby redirects is enabled by default, therefore no problem would be seen.

Well spotted that man!

Pete

0 Helpful

tagbado
Level 1
Level 1

‎10-03-2004 08:30 AM

Hi Baldy,

I'm also running with this and I come to the evidence that the statement is true.

Having setup HSRP internet routers, my PIX firewall and other uinx devices the the lan segment have learned the real mac-addresses of the HSRP members, although their default gateways is the the vitual IP address of the hsrp.

From what I can see, this is related to the fact that I enable ICMP redirect in order to accept traffic from the serial interfaces of my two ISP's.

Disabling ICMP resolve this issue, but hosts are not all reachable from outside. If any traffic comes via the standy routers' serial interface, it just bounces to unreachable.

I believe that the way the arp/proxy arp is done has also something to do.

Any idea ?

Theo

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card