Nokia IPSO 4.0 manual Monitored-Circuit Vrrp in Switched Environments

Switched Environments

Monitored-Circuit VRRP in Switched Environments

„When you use monitored-circuit VRRP, some Ethernet switches might not recognize the VRRP MAC address after a transition from the master to a backup. This is because many switches cache the MAC address associated with the Ethernet device attached to a port and when the transition occurs to a backup router, the MAC address for the virtual router appears to shift to another port. Switches that cache the MAC address may not change to the appropriate port during a VRRP transition.

To solve this problem, you can take either of the following actions:

„Replace the switch with a hub.

„Disable MAC address caching on the switch or on the switch ports that the security platforms are connected to.

If it is not possible to disable the MAC address caching, you may be able to set the address aging value to a number low enough that the addresses age out every second or two. This causes additional overhead on the switch, so you should determine whether this is a viable option for the model of switch you are running.

„Another issue is sometimes seen with switches using the spanning tree protocol. This protocol was created to prevent Layer 2 loops across multiple bridges. If spanning-tree is enabled on the ports connected to both sides of a VRRP pair and it sees multicast hello packets coming for the same MAC address from two different ports, then, in most cases, this would indicate a loop and the switch blocks traffic from one port or the other. If either port is blocked then neither of the security platforms in the VRRP pair can receive the hello packets from the other half of the VRRP pair and both would assume the master router state.

If possible, turn off spanning-tree on the switch to resolve this issue. However, this can have deleterious effects if the switch is involved in a bridging loop. If you cannot disable spanning-tree, enable PortFast on the ports connected to the VRRP pair. PortFast causes a port to enter the spanning-tree forwarding state immediately, bypassing the listening and learning states. The command to enable PortFast is set spantree portfast 3/1-2 enable; where 3/1-2refers to slot 3 ports 1 and 2.

VRRPv2 in Switched Environments

In the event that you have two interfaces on a switch that are on different VLANs and each has a VRID that is the same as the other, the system can fail. Duplicate VRIDs create duplicate MAC addresses, which will probably confuse the switch.