Tags: ,


Notable Replies

  1. Hello Rene,

    One quick Question if there is any mismatch in the authentication … in first place it should not forward packets at all ? we could see some packets are being forwarded … could you please explain.

    Thanks
    Shayan

  2. Hi Shayan,
    Believe it or not, what you are seeing is expected behavior from VRRP! If the authentication is not correct from a VRRP neighbor, then its packets get ignored. Each side will claim the other has incorrect authentication, so each VRRP router believes itself to be the master, and each will claim to own the IP address! The only upside to this is that assuming each side is using the same VRRP instance number, the MAC address will agree between them, so other computers on the network would have no idea this is going on. Additionally, should one of the VRRP mismatch routers fail, the VRRP IP will remain up–so you will achieve fault-tolerance by accident.

    By the way, besides an authentication mismatch, the same thing will happen should the VRRP timers not match as well.

    This goes to show you how useless authentication is with VRRP. The whole point of authentication is to stop a rogue device from claiming to be the virtual IP, but clearly it doesn’t matter.

    Below is a sample VRRP output from two routers in this situation, notice how they disagree on the IP of the Master Router

    R1#sh vrrp
    FastEthernet0/0 - Group 1
      State is Master
      Virtual IP address is 10.0.0.254
      Virtual MAC address is 0000.5e00.0101
      Advertisement interval is 1.000 sec
      Preemption enabled
      Priority is 100
      Authentication MD5, key-string
      Master Router is 10.0.0.252 (local), priority is 100
      Master Advertisement interval is 1.000 sec
      Master Down interval is 3.609 sec
    
    R2#sh vrrp
    FastEthernet0/0 - Group 1
      State is Master
      Virtual IP address is 10.0.0.254
      Virtual MAC address is 0000.5e00.0101
      Advertisement interval is 1.000 sec
      Preemption enabled
      Priority is 100
      Master Router is 10.0.0.253 (local), priority is 100
      Master Advertisement interval is 1.000 sec
      Master Down interval is 3.609 sec
    

    --Andrew

  3. Hello Andrew,

    Thanks a lot for your detailed explanation on the vrrp authentication.

    Regards!
    Shayan

Continue the discussion forum.networklessons.com

Participants