vrrp vrid authentication-mode (Interface view)

Function

The vrrp vrid authentication-mode command configures an authentication mode and key for a VRRP group.

The undo vrrp vrid authentication-mode command cancels authentication for a VRRP group.

By default, a VRRP group does not authenticate packets.

Format

vrrp vrid virtual-router-id authentication-mode { simple key | md5 md5-key }

vrrp vrid virtual-router-id authentication-mode simple { plain key | cipher cipher-key }

undo vrrp vrid virtual-router-id authentication-mode

Parameters

Parameter Description Value
virtual-router-id

Specifies the ID of a VRRP group.

The value is an integer ranging from 1 to 255.
simple key

Specifies an authentication key for plaintext authentication.

  • The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters.
  • For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

The value is a string of 1 to 8 case-sensitive characters, spaces not supported.

When double quotation marks are used around the string, spaces are allowed in the string.
md5 md5-key

Specifies an MD5 authentication key.

The value is a string of 1 to 8 case-sensitive characters. The string can contain spaces if it is enclosed in double quotation marks (").
plain key

Indicates plaintext authentication.

When configuring an authentication password, select the ciphertext mode. If you select the simple text mode, the password is saved as a simple text in the configuration file, which has a high risk. To ensure device security, change the password periodically.

The value is a string of 1 to 8 case-sensitive characters, spaces not supported.

When double quotation marks are used around the string, spaces are allowed in the string.
cipher cipher-key

Specifies an authentication key for ciphertext authentication.

The value is a string of 1 to 8 case-sensitive characters. The string can contain spaces if it is enclosed in double quotation marks (").

Views

100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
vrrp write

Usage Guidelines

Usage Scenario

To help improve security of protocol packets, run the vrrp vrid authentication-mode command to configure an authentication mode and key for a specified VRRP group.

Prerequisites

A VRRP group has been configured using the vrrp vrid command.

Configuration Impact

Index Influence(In English) Product Products

0 If the authentication mode and key have been configured for a VRRP group, a backup device compares the authentication mode and key carried in a received VRRP Advertisement packet with the local configurations. The backup device performs different operations based on the comparison results.

  • If the authentication mode and key in the received packet are the same as the local configurations, the backup device discards the packet after the VRRP module processes the packet and resets the timer.
  • If the authentication mode and key in the received packet are different from the local configurations, the backup device immediately discards the packet and changes to the Master state after a period of three times the interval at which VRRP Advertisement packets are sent.

Precautions

Index Attention(In English) Product Products

0 - If all virtual IP addresses assigned to a VRRP group are deleted, the system automatically deletes the VRRP group.

  • The same authentication mode must be configured for devices in a VRRP group. If different authentication modes are configured, master/backup status negotiation fails.
  • According to RFC, the authentication mode of a VRRP group can only be simple or MD5. Both authentication modes have security risks but MD5 is more secure and is recommended.

Example

# Set an authentication mode and authentication key to MD5 and HW-123 for VRRP group 1 configured on GE 0/1/1.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/1
[~HUAWEI-GigabitEthernet0/1/1] vrrp vrid 1 virtual-ip 10.10.10.10
[*HUAWEI-GigabitEthernet0/1/1] vrrp vrid 1 authentication-mode md5 HW-123
Parent Topic: VRRP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >