HP ProCurve 9304M Installation And Configuration Manual page 325
Routing switches
Hide thumbs
Also See for ProCurve 9304M:
- Management and configuration manual (690 pages) ,
- Installation and getting started manual (348 pages) ,
- User manual (236 pages)
Table of Contents
Advertisement
Configuring Security Features on a VSRP-Aware Device
NOTE: This feature is available in software releases 07.6.04 and later.
The VSRP-aware security feature enables you to:
•
Define the specific authentication parameters that a VSRP-aware device will use on a VSRP backup switch.
The authentication parameters that you define will not age out.
•
Define a list of ports that have authentic VSRP backup switch connections. For ports included in the list, the
VSRP-aware switch will process VSRP hello packets using the VSRP-aware security configuration.
Conversely, for ports not included in the list, the VSRP-aware switch will not use the VSRP-aware security
configuration.
If VSRP hello packets do not meet the acceptance criteria, the VSRP-aware device forwards the packets normally,
without any VSRP-aware security processing.
Specifying an Authentication String for VSRP Hello Packets
The following configuration defines pri-key as the authentication string for accepting incoming VSRP hello
packets. In this example, the VSRP-aware device will accept all incoming packets that have this authorization
string.
HP9300(config)# vlan 10
HP9300(config-vlan-10)# vsrp-aware vrid 3 simple-text-auth pri-key
Syntax: vsrp-aware vrid <vrid number> simple text auth <string>
Specifying no Authentication for VSRP Hello Packets
The following configuration specifies no authentication as the preferred VSRP-aware security method. In this
case, the VSRP device will not accept incoming packets that have authentication strings.
HP9300(config)# vlan 10
HP9300(config-vlan-10)# vsrp-aware vrid 2 no-auth
Syntax: vsrp-aware vrid <vrid number> no-auth
The following configuration specifies no authentication for VSRP hello packets received on ports 1/1, 1/2, 1/3, and
1/4 in VRID 4. For these ports, the VSRP device will not accept incoming packets that have authentication strings.
HP9300(config)# vlan 10
HP9300(config-vlan-10)# vsrp-aware vrid 4 no-auth port-list ethe 1/1 to 1/4
Syntax: vsrp-aware vrid <vrid number> no-auth port-list <port range>
<vrid number> is a valid VRID (from 1 to 255).
no-auth specifies no authentication as the preferred VSRP-aware security method. The VSRP device will not
accept incoming packets that have authentication strings.
simple-text-auth <string> specifies the authentication string for accepting VSRP hello packets, where <string>
can be up to 8 characters.
port-list <port range> specifies the range of ports to include in the configuration.
Removing a Port from the VRID's VLAN
By default, all the ports in the VLAN on which you configure a VRID are interfaces for the VRID. You can remove
a port from the VRID while allowing it to remain in the VLAN.
Removing a port is useful in the following cases:
•
There is no risk of a loop occurring, such as when the port is attached directly to an end host.
•
You plan to use a port in an MRP ring.
To remove a port from a VRID, enter a command such as the following at the configuration level for the VRID:
HP9300(config-vlan-200-vrid-1)# no include-port ethernet 1/2
Configuring Metro Features
10 - 29
Advertisement
Chapters
Table of Contents
Troubleshooting
