IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIDS/NIPS implications on HSRP

From: Jason Wright <jason () nfr net>
Date: 24 Aug 2004 19:55:35 -0000
In-Reply-To: <20040823170917.M24933 () packetinfo net>


From what I have been reading, HSRP Hello packets are what determines a 
failover, and that those should only be flowing between the routers through 
the switch.  This would work fine.  Cisco says that if a device (such as an 
IDS/IPS) inline keeps the line protocol up, HSRP will not failover. 


Your theory is right, HSRP/VRRP/whatever packets should be the determing factor.  Cisco is doing something wrong of 
they depend on the line protocol failing as well as the "hello" packets being dropped.

Similiar technology is used in 802.1D spanning tree.  If the topology packets show a loop or a different path, the 
topology map in each device is changed.  If packets don't make it, the network graph is redrawn.

As to what we do:  We have a daemon that monitors the link status for silly problems like this.  In the event link is 
lost on interface A, we power down interface B, and poll for link to come back on A.  Powering down an interface has 
the obvious effect of making whatever is off of that interface lose line protocol.

A little bit of hysteresis is necessary because line protocol negotiation can take a significant amount of time.  Also, 
line protocol integrity on some line cards can "flap" when there is not, in fact, any valid link.

--Jason Wright
  NFR Security

--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances 
 
New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec 
security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. 
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: