Here is a topology:
LAN|------ SW1-------------Firewall1----ISP1
LAN| -------SW2-------------Firewall2----ISP2
SW1 and SW2 are interconnected as well and run HSRP. (VIP: 192.168.1.10) Now, I have vlan 11 stretched between SW1, SW2, and firewalls. SW1 is 192.168.1.1, SW2 is 192.168.1.2, Firewall1 is 192.168.1.3, Firewall2 is 192.168.1.4. SW1 is active in the HSRP group and acts as a default gateway for end devices in vlan11.
I will end up having asymmetric routing. Is it a problem? A PC in vlan11 sends a message to the Internet. It goes to 192.168.1.10, SW1 sends it up to Firewall1 192.168.1.3, firewall sends it out to the internet. The message comes back and the firewall1 192.168.1.3 is going to send it down to PC firectly bypassing SW1.
I noticed on my Macbook that when I ping sth, it keeps showing 'redirect network: addr: 192.168.1.3' suggesting it can actually 'bypass' the default gateway of HSRP.
Everything else works. There is no NAT in place or firewalls on SW1 and SW2 so... is it good?
No comments:
Post a Comment