Filter
Top Products
Nokia Network Voyager for IPSO 4.0 Reference Guide 205
Switched Environments
Monitored-Circuit VRRP in Switched Environments
When you use monitored-circuit VRRP, some Ethernet switches might not recognize the
VRRP MAC address after a transition from the master to a backup. This is because many
switches cache the MAC address associated with the Ethernet device attached to a port and
when the transition occurs to a backup router, the MAC address for the virtual router appears
to shift to another port. Switches that cache the MAC address may not change to the
appropriate port during a VRRP transition.
To solve this problem, you can take either of the following actions:
Replace the switch with a hub.
Disable MAC address caching on the switch or on the switch ports that the security
platforms are connected to.
If it is not possible to disable the MAC address caching, you may be able to set the
address aging value to a number low enough that the addresses age out every second or
two. This causes additional overhead on the switch, so you should determine whether this
is a viable option for the model of switch you are running.
Another issue is sometimes seen with switches using the spanning tree protocol. This
protocol was created to prevent Layer 2 loops across multiple bridges. If spanning-tree is
enabled on the ports connected to both sides of a VRRP pair and it sees multicast hello
packets coming for the same MAC address from two different ports, then, in most cases, this
would indicate a loop and the switch blocks traffic from one port or the other. If either port is
blocked then neither of the security platforms in the VRRP pair can receive the hello packets
from the other half of the VRRP pair and both would assume the master router state.
If possible, turn off spanning-tree on the switch to resolve this issue. However, this can have
deleterious effects if the switch is involved in a bridging loop. If you cannot disable
spanning-tree, enable PortFast on the ports connected to the VRRP pair. PortFast causes a
port to enter the spanning-tree forwarding state immediately, bypassing the listening and
learning states. The command to enable PortFast is
set spantree portfast 3/1-2
enable
; where 3/1-2 refers to slot 3 ports 1 and 2.
VRRPv2 in Switched Environments
In the event that you have two interfaces on a switch that are on different VLANs and each has a
VRID that is the same as the other, the system can fail. Duplicate VRIDs create duplicate MAC
addresses, which will probably confuse the switch.