3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
194 CHAPTER 13: VRRP CONFIGURATIONS
Configuring Preemption
Mode and Preemption
Delay
In non-preemption mode, once a security gateway in the standby group becomes
the master and operates well, other security gateways, even assigned higher
priority later, cannot preempt it. A security gateway working in preemption mode
however, can preempt a lower priority master. Accordingly, the existing master
becomes a backup.
When enabling preemption in a standby group, you can configure a delay by using
the vrrp vrid command to have the backup wait for a while before preempting
the existing master. This is to prevent frequent state transitions on an unstable
network where the backup group security gateways cannot receive packets from
the master regularly due to network congestion.
The delay is in the range 0 to 255 seconds.
Perform the following configuration in interface view.
The default mode is preemption without delay.
n
After you disable preemption, the preemption delay automatically becomes to 0
seconds.
Configuring
Authentication Mode
and Authentication Key
VRRP provides two authentication modes: simple (simple text authentication) and
MD5.
On a secure network, you can use the default where no authentication key is
required. It this way, the security gateway will authenticate neither VRRP packets
to be sent nor those received.
On a network where potential threats are present, you can set the authentication
mode to simple, where the authentication key must not be greater than eight
bytes. When the security gateway sends a VRRP packet, it fills the authentication
key into the VRRP packet. When the security gateway receives a VRRP packet, it
compares the authentication key in the packet with the one that it retains. If they
are the same, the packet is considered genuine and legitimate. Otherwise, the
packet is considered illegitimate and is discarded.
On an unsafe network, you can set the authentication mode to MD5, where the
authentication key must not be greater than eight bytes. This allows the security
gateway to authenticate VRRP packets using the authentication method provided
by authentication header (AH) and the MD5 algorithm. The length of the
authentication key can be either less than eight characters or 24 characters. If you
input in plain text, the length ranges from one to eight characters, such as
1234567; if you input in encrypted text, the length must be 24 characters, such as
(TT8F]Y5SQ=^Q‘MAF4<1!!.
The security gateway discards the packets that fail authentication and sends traps.
Tabl e 203 Configure the preemption mode and preemption delay for a standby group
Operation Command
Enable preemption and configure preemption
delay for a standby group.
vrrp vrid virtual-router-ID preempt-mode [
timer delay delay-value ]
Disable preemption in the standby group.
undo vrrp vrid virtual-router-ID
preempt-mode