4
188
Nokia Network Voyager for IPSO 4.0 Reference Guide
which to skew the Master_Down_Interval) is calculated as
Skew_time = ( (256 - Priority) /
256) )
.
You can configure your VRID to specify one platform as the
established master
by assigning it a
higher priority, or you can assign
equivalent priority
to all platforms. If you specify an
established master by assigning it a higher priority, the original master recovers control after a
failover event and it takes back control of the VRID. If you assigned the original master
equivalent priority with the backup, it does not resume control of the VRID. You might choose
to specify one platform as the established master if it has more capacity than the other; for
example if the master is an IP530 and the backup is an IP330. If both security platforms have the
same capacity, you might choose to use equivalent priority in order to have fewer VRRP
transitions. You can also use the preempt mode to accomplish the same thing.
Hello Interval
The hello interval is the time interval in seconds at which the master sends VRRP
advertisements. The default (and minimum) value is 1 second.
Set the hello interval to the same value for all nodes of a given VRID. If the hello interval is
different, VRRP discards packets, which results in both platforms going to the master state.
The hello interval also determines the failover interval; that is, how long it takes a backup router
to take over from a failed master. If the master misses three hello advertisements, it is considered
to be down. Because the minimum hello interval is 1 second, therefore the minimum failover
time is 3 seconds (3 * Hello_interval).
Authentication
You must select the same authentication method selected for all nodes in a VRID.
Choose None to require no authentication for VRRP advertisements; choose Simple to require a
password before a VRRP advertisement is accepted by the interface, then enter the password in
the Password text field.
None
—Select only in environments where there is minimal security risk and little chance
for configuration errors (for example, only two VRRP routers on a LAN).
Simple
—VRRP protocol exchanges are authenticated by a simple clear-text password. You
can use this authentication method to protect against a router inadvertently backing up
another router in cases where you have more than one VRRP group in a network.
Simple authentication does not protect against hostile attacks where the password can be
learned by a node snooping VRRP packets on the LAN. However, when combined with the
TTL check used by VRRP (TTL is set to 255 and is checked on receipt), simple
authentication make it unlikely that a VRRP packet from another LAN will disrupt VRRP
operation.
Summary of Contents for IPSO 4.0
Page 4: ...4 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 182: ...3 182 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 206: ...4 206 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 248: ...5 248 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 266: ...6 266 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 286: ...7 286 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 350: ...8 350 Nokia Network Voyager for IPSO 4 0 Reference Guide ...
Page 478: ...11 478 Nokia Network Voyager for IPSO 4 0 Reference Guide ...