(Optional) Configuring a VRRP Security Policy

A VRRP security policy can be configured to protect a network requiring high security against attacks.

Context

When the master device periodically sends VRRP Advertisement packets to a backup device, an attacker may simulate the master device's packets to initiate attacks. To improve network security, configure a VRRP security policy. Table 1 describes VRRP security functions.

**Table 1** VRRP security functions
Function Item	Description
Configuring an authentication mode for VRRP Advertisement packets	Different authentication modes can be used for different security requirements. None authentication is a default mode and is used on a secure network. If none authentication is used, the master device sends VRRP Advertisement packets without authentication information. After receiving the packets, a backup device considers all received packets authentic and valid, without attempting to authenticate them. Simple authentication or message digest algorithm 5 (MD5) authentication can be used to improve VRRP communication security. MD5 authentication is more secure than simple authentication.

Procedure

Configure an authentication mode for VRRP Advertisement packets.
1. Run system-view
  The system view is displayed.
2. Run interface interface-type interface-number
  The view of the interface on which the VRRP group is configured is displayed.
3. Run vrrp vrid virtual-router-id authentication-mode { simple { [ plain ] key | cipher cipher-key } | md5 md5-key }
  An authentication mode is configured for VRRP Advertisement packets.
  - When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
  - The authentication key configured on the master device must be the same as that configured on a backup device in the same VRRP group.
4. Run commit
  The configuration is committed.