(Optional) Setting the Authentication Mode of VRRP Advertisement Packets

Context

Different authentication modes and authentication keys can be set in VRRPv2 Advertisement packets:

Non-authentication: The local device does not authenticate VRRP Advertisement packets before sending them. The remote device does not authenticate the received VRRP Advertisement packets and considers all the received packets valid.
Simple authentication: The local device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. When the remote device receives the VRRP Advertisement packet, it checks whether the authentication mode and authentication key in the packet are the same as those configured locally. If so, the device considers the received VRRP Advertisement packet valid. If not, the device considers the received VRRP Advertisement packet invalid and discards it.
MD5 authentication: The local device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. Upon receipt of the VRRP Advertisement packet, the remote device decrypts the authentication key and checks whether the authentication mode and authentication key are the same as those configured locally. If they are the same, the remote device accepts the packet; otherwise, it discards the packet.

Only VRRPv2 supports authentication. VRRPv3 does not support authentication. VRRPv2 reserves the authentication field in VRRP Advertisement packets to be compatible with VRRP defined in earlier versions. VRRP authentication cannot improve security.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
(Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
Run vrrp vrid virtual-router-id authentication-mode { simple { key | plain key | cipher cipher-key } | md5 md5-key }
The authentication mode in VRRP Advertisement packets is configured.

By default, a VRRP group uses non-authentication.
- Devices in a VRRP group must be configured with the same authentication mode and authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup states.
- For security purposes, you are advised to use MD5 as the authentication algorithm of VRRP.