vrrp vrid authentication-mode

Function

The vrrp vrid authentication-mode command sets an authentication mode and authentication key for a specified VRRP group.

The undo vrrp vrid authentication-mode command restores the default configuration.

By default, a VRRP group uses the non-authentication mode.

Format

vrrp vrid virtual-router-id authentication-mode { md5 md5-key | hmac-sha256 hmac-sha256 }

undo vrrp vrid virtual-router-id authentication-mode

Parameters

Parameter Description Value
virtual-router-id

Specifies the ID of a VRRP group.

The value is a decimal integer ranging from 1 to 255.
md5 md5-key

Specifies an MD5 authentication key.

For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended.

The value is a string of 1 to 8 case-sensitive characters, spaces not supported. Authentication keys are saved in ciphertext in the configuration file.

  • A non-ciphertext authentication key is a string of 1 to 8 characters.
  • A ciphertext authentication key is a string of 48 characters.

The string can contain spaces if it is enclosed with double quotation marks (").

Ciphertext passwords with different lengths are automatically supported after an upgrade.
hmac-sha256 hmac-sha256

Specifies an HMAC-SHA256 authentication key.

The value is a string of characters.

  • A non-ciphertext authentication key is a string of 1 to 8 characters.
  • A ciphertext authentication key is a string of 48 characters.

Views

Loopback interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
vrrp write

Usage Guidelines

Usage Scenario

To improve the security of protocol packets, set an authentication key for VRRP Advertisement packets. You can run the vrrp vrid authentication-mode command to set an authentication mode and authentication key for a specified VRRP group.

Prerequisites

A VRRP group has been configured using the vrrp vrid command.

Configuration Impact

After you set an authentication key for a specified VRRP group, a backup device in the group compares its authentication key with the authentication key in a received VRRP Advertisement packet.

  • If the authentication keys are the same, the backup device discards the packet and resets the timer after the VRRP module finishes processing.
  • If the authentication keys are different, the backup device directly discards the packet and enters the Master state after a period that is three times the interval at which VRRP Advertisement packets are sent.

Precautions

  • You must set the same authentication mode and authentication key for devices in a specified VRRP group. If you set different authentication modes or authentication keys, two master devices coexist. As a result, the VRRP group cannot work properly.
  • If the MD5 algorithm is used for VRRP group authentication, a risk message is displayed. The HMAC-SHA256 algorithm is recommended.

Example

# Set an authentication mode and authentication key to hmac-sha256 and huawei respectively for VRRP group 64 on Loopback 1.
<HUAWEI> system-view
[~HUAWEI] interface LoopBack1
[*HUAWEI-LoopBack1] ip address 10.1.1.1 255.255.255.0
[*HUAWEI-LoopBack1] vrrp vrid 64 peer-ip 10.1.1.10
[*HUAWEI-LoopBack1] vrrp vrid 64 authentication-mode hmac-sha256 huawei
Parent Topic: VRRP Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >