I have (2)HP Procurve 3800 switches they seem to not support HSRP but only VRRP would that be correct from what you know? They are also in a location in our network where there are some security concerns …it is behind our (2) internet routers but connects the routers and Firewalls together so we can get to the internet. I was trying not to put an ip address on them since they have a management port that could be used to access them but apparently VRRP will require an IP address on each plus a floating address is this what you understand as well. What is the best way to keep them secure?



Hi Steve,

That’s correct, HSRP is Cisco Proprietary. VRRP is a standard. If you use your switches as the default gateway for your clients with VRRP then yes, you’ll need IP addresses for each vlan/subnet. VRRP creates a virtual gateway IP address and the switches need to communicate with each other for this.

Security people would probably advise that the connection between your routers/firewalls should be physically separated. You could however use a separate VLAN on your switches that doesn’t have an IP address. Use this VLAN to connect your firewalls/routers together.



On your second point wouldn’t not having an address on the VLANs defeat the purpose of VRRP? Or am I missing something. From what I understand each VRRP of failover vlan requires an IP. example switch 1 vlan 111 IP switch 2 vlan 111 IP If the vlan is not setup with VRRP and no IP , if switch 1 fails switch 2 will not have that vlan available that does not have an IP and is not setup with VRRP? Am I correct?



Hi Stephen,

I think I misunderstood you, I was thinking that you required VRRP on the “client” side but I guess you need it for your firewalls? In that case, yes you’ll need an IP address in that VLAN on each switch and one virtual address.