H3C Technologies H3C S3600 Series Switches User Manual

1-3

When a switch acts as the IP address owner, its priority is always 255. That is, if there is an IP address

owner in a VRRP group, it acts as the master as long as it works properly.

If two switches have the same VRRP priority, the one whose VLAN interface takes effect earlier

becomes the master.

Preemptive mode and preemption delay of a switch in a VRRP group

You can configure an S3600 Ethernet switch to operate in preemptive mode.

z

In non-preemptive mode, as long as a switch in a VRRP group becomes the master, it stays as the

master as long as it operates normally, even if a backup is assigned a higher priority later.

z

If all the switches in a VRRP group are set to operate in preemptive mode, a backup sends VRRP

advertisements when it finds that its priority is higher than that of the current master. In this case a

new election of master is triggered, and the backup becomes the master and the former master

becomes a backup accordingly.

You can also set the preemption delay for an S3600 switch.

Setting a delay period aims at:

z

In an unstable network, backups in a VRRP group possibly cannot receive VRRP advertisements

from the master in time due to network congestions. In this case, the backup considers itself as the

master and sends out VRRP advertisements to elect master. This causes the master of the VRRP

group to be determined frequently.

z

With preemption delay configured, if a backup does not receive VRRP advertisements from the

master in time, it waits for a while before switching to a new master. The backup does not send

VRRP advertisements if it receives VRRP advertisements from the master during the specified

delay period.

Authentication type and authentication key of a switch in a VRRP group

VRRP provides the following authentication types:

z

simple: Simple text authentication. In a network under possible security threat, the authentication

type can be set to simple. With the simple authentication type configured, the switch adds an

authentication key into a VRRP packet before transmitting it. The receiver then compares the

authentication key of the packet with the locally configured one. If they are the same, the packet will

be taken as a true and legal one. Otherwise it will be regarded illegal and discarded.

z

md5: MD5 authentication. In a vulnerable network, the authentication type can be set to md5. The

switch then uses the authentication type provided in the Authentication Header and the local MD5

algorithm to authenticate the VRRP packets. Packets that fail to pass the authentication are

discarded. The switch then sends trap messages to the NMS.