IDS mailing list archives
Re: NIDS/NIPS implications on HSRP
From: Jason Wright <jason () nfr net>
Date: 24 Aug 2004 19:55:35 -0000
In-Reply-To: <20040823170917.M24933 () packetinfo net>
From what I have been reading, HSRP Hello packets are what determines a failover, and that those should only be flowing between the routers through the switch. This would work fine. Cisco says that if a device (such as an IDS/IPS) inline keeps the line protocol up, HSRP will not failover.
Your theory is right, HSRP/VRRP/whatever packets should be the determing factor. Cisco is doing something wrong of they depend on the line protocol failing as well as the "hello" packets being dropped. Similiar technology is used in 802.1D spanning tree. If the topology packets show a loop or a different path, the topology map in each device is changed. If packets don't make it, the network graph is redrawn. As to what we do: We have a daemon that monitors the link status for silly problems like this. In the event link is lost on interface A, we power down interface B, and poll for link to come back on A. Powering down an interface has the obvious effect of making whatever is off of that interface lose line protocol. A little bit of hysteresis is necessary because line protocol negotiation can take a significant amount of time. Also, line protocol integrity on some line cards can "flap" when there is not, in fact, any valid link. --Jason Wright NFR Security -------------------------------------------------------------------------- FREE Network Security Webinar - How to implement IPSec security into VPN appliances New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection. Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. Register now: http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817 --------------------------------------------------------------------------
Current thread:
- NIDS/NIPS implications on HSRP Brian Blankenship (Aug 23)
- <Possible follow-ups>
- Re: NIDS/NIPS implications on HSRP Jason Wright (Aug 24)