Nokia IPSO 4.0 manual Hello Interval, Authentication, 188

4

which to skew the Master_Down_Interval) is calculated as Skew_time = ( (256 - Priority) / 256) ).

You can configure your VRID to specify one platform as the established master by assigning it a higher priority, or you can assign equivalent priority to all platforms. If you specify an established master by assigning it a higher priority, the original master recovers control after a failover event and it takes back control of the VRID. If you assigned the original master equivalent priority with the backup, it does not resume control of the VRID. You might choose to specify one platform as the established master if it has more capacity than the other; for example if the master is an IP530 and the backup is an IP330. If both security platforms have the same capacity, you might choose to use equivalent priority in order to have fewer VRRP transitions. You can also use the preempt mode to accomplish the same thing.

Hello Interval

The hello interval is the time interval in seconds at which the master sends VRRP advertisements. The default (and minimum) value is 1 second.

Set the hello interval to the same value for all nodes of a given VRID. If the hello interval is different, VRRP discards packets, which results in both platforms going to the master state.

The hello interval also determines the failover interval; that is, how long it takes a backup router to take over from a failed master. If the master misses three hello advertisements, it is considered to be down. Because the minimum hello interval is 1 second, therefore the minimum failover time is 3 seconds (3 * Hello_interval).

Authentication

You must select the same authentication method selected for all nodes in a VRID.

Choose None to require no authentication for VRRP advertisements; choose Simple to require a password before a VRRP advertisement is accepted by the interface, then enter the password in the Password text field.

„None—Select only in environments where there is minimal security risk and little chance for configuration errors (for example, only two VRRP routers on a LAN).

„Simple—VRRP protocol exchanges are authenticated by a simple clear-text password. You can use this authentication method to protect against a router inadvertently backing up another router in cases where you have more than one VRRP group in a network.

Simple authentication does not protect against hostile attacks where the password can be learned by a node snooping VRRP packets on the LAN. However, when combined with the TTL check used by VRRP (TTL is set to 255 and is checked on receipt), simple authentication make it unlikely that a VRRP packet from another LAN will disrupt VRRP operation.