Vsrp-Aware Security Features; Vsrp Parameters - HP ProCurve 9304M Installation And Configuration Manual

number in the record. Each subsequent time the device receives a Hello message for the same VRID and VLAN,
the device checks the port number.
• If the port number is the same as the port that previously received a Hello message, the VSRP-aware device
assumes that the message came from the same VSRP Master that sent the previous message.
• If the port number does not match, the VSRP-aware device assumes that a VSRP failover has occurred to a
new Master, and moves the MAC addresses learned on the previous port to the new port.
The VRID records age out if unused. This can occur if the VSRP-aware device becomes disconnected from the
Master. The VSRP-aware device will wait for a Hello message for the period of time equal to the following:
VRID Age = Dead Interval + Hold-down Interval + (3 x Hello Interval)
The values for these timers are determined by the VSRP device sending the Hello messages. If the Master uses
the default timer values, the age time for VRID records on the VSRP-aware devices is as follows:
3 + 2 + (3 x 1) = 8 seconds
In this case, if the VSRP-aware device does not receive a new Hello message for a VRID in a given VLAN, on any
port, the device assumes the connection to the Master is unavailable and removes the VRID record.
Timer Scale
The VSRP Hello interval, Dead interval, Backup Hello interval, and Hold-down interval timers are individually
configurable. You also can easily change all the timers at the same time while preserving the ratios among their
values. To do so, change the timer scale. The timer scale is a value used by the software to calculate the timers.
The software divides a timer's value by the timer scale value. By default, the scale is 1. This means the VSRP
timer values are the same as the values in the configuration.

VSRP-Aware Security Features

Software release 07.6.04 enhances the security of VSRP-aware switches against unauthorized VSRP hello
packets by enabling you to configure VSRP-aware security parameters.
Without VSRP-aware security configured, a VSRP-aware device passively learns the authentication method
conveyed by the received VSRP hello packet. The VSRP-aware device then stores the authentication method
until it ages out with the aware entry.
With VSRP-aware security, you can:
• Define the specific authentication parameters that a VSRP-aware device will use on a VSRP backup switch.
The authentication parameters that you define will not age out.
• Define a list of ports that have authentic VSRP backup switch connections. For ports included in the list, the
VSRP-aware switch will process VSRP hello packets using the VSRP-aware security configuration.
Conversely, for ports not included in the list, the VSRP-aware switch will not use the VSRP-aware security
configuration.
If VSRP hello packets do not meet the acceptance criteria, the VSRP-aware device forwards the packets normally,
without any VSRP-aware security processing.

VSRP Parameters

Table 10.4 lists the VSRP parameters.
Parameter Description
Protocol VSRP state
Note: On a Routing Switch, you must disable VSRP
to use VRRPE or VRRP.
Table 10.4: VSRP Parameters
Configuring Metro Features
Default See page...
Enabled 10-27
10 - 23