Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring VRRP Authentication (IPv4 Only)

    VRRP (IPv4 only) protocol exchanges can be authenticated to guarantee that only trusted switches participate in a VRRP group. By default, VRRP authentication is disabled. You can configure one of the following authentication methods for a group, and each switch in the same group must use the same method:

    • Simple authentication—Uses a text password included in the transmitted packet. The receiving switch uses an authentication key (password) to verify the packet.
    • Message Digest 5 (MD5) algorithm—Adds an authentication header (AH) to the IP packet that encapsulates the VRRP packet. You create an authentication key that is used to create a hash of the packet, and the hash is stored in the AH. A receiving switch recalculates the hash on the incoming packet and compares the hashes. If they are identical, the packet is valid and is accepted. Otherwise the switch drops the incoming packet.

    To enable authentication and specify an authentication method, include the authentication-type statement.

    authentication-type authentication;

    authentication can be simple or md5. The authentication type must be the same for all the switches in the VRRP group.

    You can include this statement at the following hierarchy level:

    • [edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]

    If you include the authentication-type statement, you can configure a key (password) on each interface by including the authentication-key statement:

    key (the password) is an ASCII string. For simple authentication, it can be from 1 through 8 characters long. For MD5 authentication, it can be from 1 through 16 characters long. If you include spaces, enclose all characters in quotation marks (“ ”).

    Note: The key must be the same for all switches in the VRRP group.

    You can include this statement at the following hierarchy level:

    • [edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]

    Modified: 2016-12-06