3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

761

762

763

764

765

766

767

768

769

770

Introduction to VRRP 763

CAUTION:

■ The IP address of the virtual router can be either an unused IP address on the

segment where the standby group resides or the IP address of an interface on a

router in the standby group. In the latter case, the router is called the IP

address owner.

■ In a VRRP standby group, there can only be one IP address owner.

VRRP priority

VRRP determines the role (master or backup) of each router in the standby group

by priority. A router with a higher priority has more opportunity to become the

master.

Preemption mode

■ In non-preemption mode, once a router in the standby group becomes the

master, it stays as the master as long as it operates normally, even if a backup

router is assigned a higher priority later.

■ In preemption mode, once a backup router finds its priority higher than that of

the router acting as the master, it becomes the master. Accordingly, the original

master becomes a backup.

Interface tracking

The interface tracking function expands the backup functionality of VRRP. It

provides backup not only when the interface to which a standby group is assigned

fails but also when other interfaces on the router become unavailable. This is

achieved by tracking interfaces. When a monitored interface goes down, the

priority of the router owning the interface is automatically decreased by a

specified value, allowing a higher priority router in the standby group to become

the master.

Authentication mode

VRRP provides two authentication modes:

■ Simple: Simple text authentication

■ MD5: MD5 authentication

On a secure network, you can configure the routers not to perform

authentication. In this case, neither the routers sending VRRP packets nor the

routers receiving the VRRP packets perform authentication.

On a network where potential threats are present, you can set the authentication

mode to simple. In this case, a router fills the authentication key into the VRRP

packet before sending the packet out, while the router receiving the VRRP packet

compares the authentication key in the packet with its own. If they are the same,

the packet is considered genuine and legitimate; otherwise, the packet is

considered illegitimate and is discarded.

On an insecure network, you can set the authentication mode to MD5. This allows

the router to encrypt VRRP packets using the authentication key and the MD5

algorithm and then save the encrypted packet in the authentication header (AH).

The router receiving the VRRP packet uses the authentication key to decrypt and

validate the packet.