Vsrp-aware security features, Vsrp parameters, Mac address failover on vsrp-aware devices – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 339
Brocade TurboIron 24X Series Configuration Guide
305
53-1003053-01
Virtual Switch Redundancy Protocol (VSRP)
MAC address failover on VSRP-aware devices
VSRP-aware devices maintain a record of each VRID and its VLAN. When the device has received a
hello message for a VRID in a given VLAN, the device creates a record for that VRID and VLAN and
includes the port number in the record. Each subsequent time the device receives a hello
message for the same VRID and VLAN, the device checks the port number:
•
If the port number is the same as the port that previously received a hello message, the
VSRP-aware device assumes that the message came from the same VSRP master that sent
the previous message.
•
If the port number does not match, the VSRP-aware device assumes that a VSRP failover has
occurred to a new master, and moves the MAC addresses learned on the previous port to the
new port.
The VRID records age out if unused. This can occur if the VSRP-aware device becomes
disconnected from the master. The VSRP-aware device will wait for a hello message for the period
of time equal to the following.
VRID Age = Dead Interval + Hold-down Interval + (3 x Hello Interval)
The values for these timers are determined by the VSRP device sending the hello messages. If the
master uses the default timer values, the age time for VRID records on the VSRP-aware devices is
as follows.
3 + 2 + (3 x 1) = 8 seconds
In this case, if the VSRP-aware device does not receive a new hello message for a VRID in a given
VLAN, on any port, the device assumes the connection to the master is unavailable and removes
the VRID record.
VSRP-Aware security features
This feature protects against unauthorized VSRP hello packets by enabling you to configure
VSRP-aware security parameters. Without VSRP-aware security, a VSRP-aware device passively
learns the authentication method conveyed by the received VSRP hello packet. The VSRP-aware
device then stores the authentication method until it ages out with the aware entry.
The VSRP-aware security feature enables you to perform the following:
•
Define the specific authentication parameters that a VSRP-aware device will use on a VSRP
backup switch. The authentication parameters that you define will not age out.
•
Define a list of ports that have authentic VSRP backup switch connections. For ports included
in the list, the VSRP-aware switch will process VSRP hello packets using the VSRP-aware
security configuration. Conversely, for ports not included in the list, the VSRP-aware switch will
not use the VSRP-aware security configuration.
If VSRP hello packets do not meet the acceptance criteria, the VSRP-aware device forwards the
packets normally, without any VSRP-aware security processing.
To configure VSRP-Aware Security features, refer to
“Configuring security features on a VSRP-aware
VSRP parameters
lists the VSRP parameters.