Pro]_^ur_ https://]ll1.]is]o.

]om/]ont_nt/xtr[]/2

Cli]k h_r_ to print this p[g_

Dis]ov_ry 15: Configur_ VRRP [n^ Spot th_ Diff_r_n]_s from HSRP

Pro]_^ur_

St_p 1 - Configur_ Eth_rn_t 0/1 on R1 with th_ IP [^^r_ss 192.168.1.3 [n^ th_ VRRP virtu[l
IP [^^r_ss 192.168.1.1.
R1(config)# interface ethernet 0/1
R1(config-if)# ip address 192.168.1.3 255.255.255.0
R1(config-if)# vrrp 1 ip 192.168.1.1

Lik_ HSRP, VRRP us_s th_ ]on]_pt of th_ virtu[l IP [^^r_ss to provi^_ th_ _n^-us_r ^_vi]_s with r_^un^[nt
first-hop ]onn_]tivity. Th_ virtu[l IP [^^r_ss is ]onfigur_^ \y using th_ vrrp group_num\_r ip virtu[l_ip
int_rf[]_ ]onfigur[tion ]omm[n^.

You ][n us_ on_ of th_ "r_[l" IP [^^r_ss_s from physi][l rout_rs [s th_ virtu[l IP [^^r_ss. In this _x[mpl_,
you ]oul^, for inst[n]_, us_ 192.168.1.3 [s th_ virtu[l IP [^^r_ss.

St_p 2 - Configur_ Eth_rn_t 0/1 on R2 with th_ IP [^^r_ss of 192.168.1.2 [n^ th_ VRRP
virtu[l IP [^^r_ss of 192.168.1.1.
R2(config)# interface ethernet 0/1
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)# vrrp 1 ip 192.168.1.1

With HSRP, you ]oul^ l_[v_ out th_ group num\_r wh_n p_rforming th_ ]onfigur[tion [n^ it will ^_f[ult to
group 0. With VRRP th_r_ is no su]h ^_f[ult. You n__^ to sp_]ify [ group num\_r, whi]h ][n \_ [nything
\_tw__n 1 [n^ 255.

St_p 3 - Configur_ Eth_rn_t 0/1 on R2 with [ VRRP priority of 110.

R2(config-if)# vrrp 1 priority 110

In th_ CLIs of th_ rout_rs, noti]_ th[t on_ of th_ ^_vi]_s tr[nsition_^ to th_ m[st_r st[t_ [n^ th_ oth_r to
th_ \[]kup st[t_.

@ high_r priority is ]onfigur_^ on [ ^_vi]_ th[t shoul^ \_ th_ m[st_r of th_ VRRP group. In this _x[mpl_ you
]onfigur_^ R2 with [ priority of 110. R1 is l_ft with th_ ^_f[ult priority of 100.

How_v_r, if you us_ on_ of th_ rout_r IP [^^r_ss_s [s th_ virtu[l IP [^^r_ss, prioriti_s [r_ ignor_^ for th_
purpos_ of _l_]ting th_ m[st_r. Th_ rout_r th[t h[s th_ IP [^^r_ss th[t m[t]h_s th_ virtu[l IP [^^r_ss will
\_]om_ th_ m[st_r.

VRRP h[s pr_-_mption _n[\l_^ \y ^_f[ult. HSRP h[s pr_-_mption ^is[\l_^ \y ^_f[ult.

1 of 3 10/20/2017, 8:33 @M
Pro]_^ur_ https://]ll1.]is]o.]om/]ont_nt/xtr[]/2

St_p 4 - On VRRP-_n[\l_^ ^_vi]_s, v_rify th_ VRRP st[tus.

R1# show vrrp
Ethernet0/1 - Group 1
State is Backup
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.1.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.049 sec)

In th_ output of R1, you ][n s__ th_ M@C [^^r_ss of th_ virtu[l rout_r. Th_ M@C [^^r_ss h[s th_ following
form: 0000.5_00.01XX, wh_r_ XX is th_ two-^igit h_x[^_]im[l group num\_r.

R2# show vrrp brief

Interface Grp Pri Time Own Pre State Master addr Group addr
Et0/1 1 110 3570 Y Master 192.168.1.2 192.168.1.1

To v_rify VRRP st[tus, us_ th_ show vrrp ]omm[n^. If you [pp_n^ th_ \ri_f k_ywor^, you will g_t [ mor_
]on^_ns_^ vi_w.

VRRP [n^ @uth_nti][tion

Th_ VRRP st[n^[r^ us_^ to sp_]ify pl[int_xt [n^ MD5 [uth_nti][tion, whi]h w[s l[t_r r_vok_^. How_v_r,
Cis]o IOS ^_vi]_s still support [uth_nti][tion m_]h[nisms.

• VRRP us_^ pl[int_xt [n^ MD5 [uth_nti][tion with RFC 2338.

• RFC 3768 [n^ RFC 5798 r_mov_ [uth_nti][tion support for VRRP.
• Cis]o IOS Softw[r_ still supports th_ RFC 2338 [uth_nti][tion m_]h[nisms.

R1(config-if)# vrrp group_number authentication text key_string

• Configur_s pl[int_xt [uth_nti][tion

R1(config-if)# vrrp group_number authentication md5 key-string key_string

• Configur_s MD5 [uth_nti][tion

@]]or^ing to RFC 5798, op_r[tion[l _xp_ri_n]_ [n^ furth_r [n[lysis ^_t_rmin_^ th[t VRRP [uth_nti][tion ^i^
not provi^_ suffi]i_nt s_]urity to ov_r]om_ th_ vuln_r[\ility of mis]onfigur_^ s_]r_ts, ][using multipl_ m[st_rs
to \_ _l_]t_^. Du_ to th_ n[tur_ of th_ VRRP proto]ol, _v_n if VRRP m_ss[g_s [r_ ]ryptogr[phi][lly
prot_]t_^, it ^o_s not pr_v_nt hostil_ no^_s from \_h[ving [s if th_y [r_ th_ VRRP m[st_r, ]r_[ting multipl_
m[st_rs. @uth_nti][tion of VRRP m_ss[g_s ]oul^ h[v_ pr_v_nt_^ [ hostil_ no^_ from ][using [ll prop_rly
fun]tioning rout_rs from going into th_ \[]kup st[t_. How_v_r, h[ving multipl_ m[st_rs ][n ][us_ [s mu]h
^isruption [s no rout_rs, whi]h [uth_nti][tion ][nnot pr_v_nt. @lso, _v_n if [ hostil_ no^_ ]oul^ not ^isrupt
VRRP, it ][n ^isrupt @RP [n^ ]r_[t_ th_ s[m_ _ff_]t [s h[ving [ll rout_rs go into th_ \[]kup st[t_.

In^_p_n^_nt of [ny [uth_nti][tion typ_, VRRP in]lu^_s [ m_]h[nism (s_tting TTL = 255, ]h_]king on r_]_ipt)
th[t prot_]ts [g[inst VRRP p[]k_ts \_ing inj_]t_^ from [noth_r r_mot_ n_twork. This s_tting limits most
vuln_r[\iliti_s to lo][l [tt[]ks.

With Cis]o IOS ^_vi]_s, th_ ^_f[ult VRRP [uth_nti][tion is pl[int_xt. MD5 [uth_nti][tion ][n \_ ]onfigur_^ \y
sp_]ifying [ k_y string or, lik_ with HSRP, r_f_r_n]_ to [ k_y ]h[in.

St_p 5 - Configur_ MD5 [uth_nti][tion for VRRP on th_ Eth_rn_t 0/1 int_rf[]_ of R1.
R1(config)# interface ethernet 0/1

2 of 3 10/20/2017, 8:33 @M
Pro]_^ur_ https://]ll1.]is]o.]om/]ont_nt/xtr[]/2

R1(config-if)# vrrp 1 authentication md5 key-string MyVRRP

In th_ CLI output of R1, noti]_ th_ "\[^ [uth_nti][tion" m_ss[g_. R1 is ]urr_ntly ]onfigur_^ with th_ MD5
[uth_nti][tion whil_ R2 h[s no VRRP [uth_nti][tion ]onfigur_^. @s [ ]ons_qu_n]_, th_ rout_rs ^o not
]onsi^_r _[]h oth_r [s m_m\_rs of th_ s[m_ group. If you v_rify th_ VRRP st[tus on \oth ^_vi]_s, you will
s__ th[t \oth ]onsi^_r th_ms_lv_s to \_ th_ m[st_r for VRRP group 1.

%VRRP-4-BADAUTHTYPE: Bad authentication from 192.168.1.2, group 1, type 0, expected 254.

St_p 6 - Configur_ MD5 [uth_nti][tion for VRRP on th_ Eth_rn_t 0/1 int_rf[]_ of R2.
R2(config)# interface ethernet 0/1
R2(config-if)# vrrp 1 authentication md5 key-string MyVRRP

Noti]_ th[t now th[t you h[v_ ]onfigur_^ m[t]hing MD5 VRRP [uth_nti][tions, you g_t [ m_ss[g_ in th_ CLI
output of R1 th[t s[ys th[t R1 is tr[nsitioning to th_ \[]kup st[t_.

%VRRP-6-STATECHANGE: Et0/1 Grp 1 state Master -> Backup

© 2014 Cis]o Syst_ms, In].

3 of 3 10/20/2017, 8:33 @M