4

„If you are testing monitored-circuit VRRP by pulling an interface, and the other interfaces do not release their IP addresses, check that the priority delta is large enough that the effective priority is lower than the master router.

„If you use different encryption accelerator cards in two appliances that are part of a VRRP group or an IP cluster, such as the Nokia Encrypt Card in one appliance and the older Nokia Encryption Accelerator Card in another appliance, you must select encryption algorithms for each card that are supported on both cards. If you select different encryption algorithms on the backup appliance than on the master, failover might not occur correctly.

„VRIDs must be the same on all routers in a VRRP group. If you are using monitored-circuit VRRP, verify that all platforms in the group that back up a single virtual IP address use the same VRID. If you are using VRRP v2, verify that the VRID used on each backup router uses the same VRID and IP address as the primary router.

„If the VRRP monitor in Network Voyager shows one of the interfaces in initialize state, it might indicate that the IP address used as the backup address on that interface is invalid or reserved.

„SNMP Get on Interfaces might list the wrong IP addresses, resulting in incorrect Policy. An SNMP Get (for the Firewall object Interfaces in the GUI Security Policy editor) fetches the lowest IP address for each interface. If the interfaces are created when the node is the VRRP master, the wrong IP address might be included in the object. To solve this problem, edit the interfaces by hand if necessary.

Firewall Policies

If your platforms are running firewall software, you must enable the firewall policies to accept VRRP packets. The multicast destination assigned by the IANA for VRRP is 224.0.0.18. If the firewall policy does not explicitly accept packets to 224.0.0.18, each firewall platform in the VRRP group assumes the VRRP master state.

Access Control Lists

If your platforms use access control lists, you must, at minimum, include the following in the access list criteria:

„The source IP addresses of all participants in the VRRP group.

„The VRRP multicast destination IP address, which is 224.0.0.18.

„The VRRP IP protocol value, which is 112.

If these most restrictive conditions are in place, then each VRRP participant on each access control interface must have a separate rule. Alternatively, you can define a more open rule. For example, a single rule allowing all packets with DST IP 224.0.0.18 and IP protocol value 112 would work for all interfaces controlled by an access control list.

204

Nokia Network Voyager for IPSO 4.0 Reference Guide

Page 203 Page 205
Page 204
Image 204
Nokia IPSO 4.0 manual Firewall Policies, Access Control Lists, 204
Page 203 Page 205
Top Page Image Contents