Procedure https://cll-ng.cisco.

com/content/xtrac/2

Discovery 13: Configure VRRP

Task 1: Configure VRRP on Routers
Activity
Step 1: Configure Ethernet 0/1 on R1 with the IP address 192.168.1.3 and the VRRP virtual IP address 192.168.1.1.
On R1, enter the following commands:
R1(config)# interface ethernet 0/1
R1(config-if)# ip address 192.168.1.3 255.255.255.0
R1(config-if)# vrrp 1 ip 192.168.1.1
R1(config-if)#
*Jul 24 20:30:48.556: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Init -> Backup
*Jul 24 20:30:48.561: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Init -> Backup
R1(config-if)#
*Jul 24 20:30:52.174: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Backup -> Master
R1(config-if)#
Like HSRP, VRRP uses the concept of the virtual IP address to provide the end-user devices with redundant first-hop connectivity.
The virtual IP address is configured by using the vrrp group_number ip virtual_ip interface configuration command.
You can use one of the "real" IP addresses from physical routers as the virtual IP address. In this example you could, for instance,
use 192.168.1.3 as the virtual IP address.
Observe the console message and notice that since there is not another active VRRP router in the broadcast domain R1 transitions
to the Master state.
Step 2: Configure Ethernet 0/1 on R2 with the IP address of 192.168.1.2 and the VRRP virtual IP address of 192.168.1.1.
On R2, enter the following commands:
R2(config)# interface ethernet 0/1
R2(config-if)# ip address 192.168.1.2 255.255.255.0
R2(config-if)# vrrp 1 ip 192.168.1.1
R2(config-if)#
*Jul 24 20:32:19.192: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Init -> Backup
*Jul 24 20:32:19.197: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Init -> Backup

Observe the console message and notice that since R1 is already active and the Master R2 stays in the “backup” state.

With HSRP, you could leave out the group number when performing the configuration and it will default to group 0. With VRRP,
there is no such default. You need to specify a group number, which can be anything between 1 and 255.
Step 3: Configure Ethernet 0/1 on R2 with a VRRP priority of 110.
On R2, enter the following command:
R2(config-if)# vrrp 1 priority 110
R2(config-if)#
*Jul 24 20:35:50.804: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Backup -> Master
R2(config-if)#

R1#
*Jul 24 20:35:50.804: %VRRP-6-STATECHANGE: Et0/1 Grp 1 state Master -> Backup
In the CLIs of the routers, you observed console messages that showed that R2 has now transitioned to the master state and R1 to
the backup state.
A higher priority is configured on a device that should be the master of the VRRP group. In this example, you configured R2 with
a priority of 110. R1 is left with the default priority of 100.

1 din 3 26.05.2020, 12:01

Procedure https://cll-ng.cisco.com/content/xtrac/2

However, if you use one of the router IP addresses as the virtual IP address, priorities are ignored for electing the master. The
router that has the IP address that matches the virtual IP address will become the master.
VRRP has pre-emption enabled by default, compared to HSRP having pre-emption disabled by default.
Step 4: On VRRP-enabled devices, verify the VRRP status.
On R1 and R2, enter the following commands:
R1# show vrrp
Ethernet0/1 - Group 1
State is Backup
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.1.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.049 sec)

R2# show vrrp

Ethernet0/1 - Group 1
State is Master
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Master Router is 192.168.1.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
In the output of R1, you can see the MAC address of the virtual router. The MAC address has the following form:
0000.5e00.01XX, where XX is the two-digit hexadecimal group number.
R2# show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Et0/1 1 110 3570 Y Master 192.168.1.2 192.168.1.1
To verify VRRP status, use the show vrrp command. If you append the brief keyword, you will get a more condensed view.

Task 2: Configure Authentication for VRRP

Activity
VRRP and Authentication
The VRRP standard that is used to specify plaintext and MD5 authentication, which was later revoked. However, Cisco IOS devices
still support authentication mechanisms.

VRRP used plaintext and MD5 authentication with RFC 2338.

RFC 3768 and RFC 5798 remove authentication support for VRRP.
Cisco IOS Software still supports the RFC 2338 authentication mechanisms.

R1(config-if)# vrrp group_number authentication text key_string

Configures plaintext authentication

R1(config-if)# vrrp group_number authentication md5 key-string key_string

Configures MD5 authentication

According to RFC 5798, operational experience and further analysis determined that VRRP authentication did not provide sufficient
security to overcome the vulnerability of misconfigured secrets, causing multiple masters to be elected. Due to the nature of the VRRP
protocol, even if VRRP messages are cryptographically protected, it does not prevent hostile nodes from behaving as if they are the
VRRP master, creating multiple masters. Authentication of VRRP messages could have prevented a hostile node from causing all
properly functioning routers from going into the backup state. However, having multiple masters can cause as much disruption as no
routers, which authentication cannot prevent. Also, even if a hostile node could not disrupt VRRP, it can disrupt ARP and create the
same effect as having all routers go into the backup state.
Independent of any authentication type, VRRP includes a mechanism (setting Time to Live [TTL] = 255, checking on receipt) that

2 din 3 26.05.2020, 12:01

Procedure https://cll-ng.cisco.com/content/xtrac/2

protects against VRRP packets being injected from another remote network. This setting limits most vulnerability to local attacks.
With Cisco IOS devices, the default VRRP authentication is plaintext. MD5 authentication can be configured by specifying a key
string or, like with HSRP, reference to a key chain.
Step 1: Configure MD5 authentication for VRRP on the Ethernet 0/1 interface of R1.
On R1, enter the following commands:
R1(config)# interface ethernet 0/1
R1(config-if)# vrrp 1 authentication md5 key-string MyVRRP
In the CLI output of R1, notice the "bad authentication" message. R1 is currently configured with the MD5 authentication while R2
has no VRRP authentication configured. As a consequence, the routers do not consider each other as members of the same group.
If you verify the VRRP status on both devices, you will see that both consider themselves to be the master for VRRP group 1.
%VRRP-4-BADAUTHTYPE: Bad authentication from 192.168.1.2, group 1, type 0, expected 254.
Step 2: Configure MD5 authentication for VRRP on the Ethernet 0/1 interface of R2.
On R2, enter the following commands:
R2(config)# interface ethernet 0/1
R2(config-if)# vrrp 1 authentication md5 key-string MyVRRP
Notice that now that you have configured matching MD5 VRRP authentications, you get a message in the CLI output of R1 that
says that R1 is transitioning to the backup state.
%VRRP-6-STATECHANGE: Et0/1 Grp 1 state Master -> Backup
Step 3: Verify the VRRP states and authentication method or R1 and R2.
On R1 and R2, enter the following commands:
R1# show vrrp
Ethernet0/1 - Group 1
State is Backup
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string
Master Router is 192.168.1.2, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.255 sec)

R2# show vrrp

Ethernet0/1 - Group 1
State is Master
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Authentication MD5, key-string
Master Router is 192.168.1.2 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
Verify that R1 is in the “Backup” state and using “MD5, key-string” as the authentication method, and R2 is in the “Master” state
and also using “MD5, key-string” as the authentication method.

© 2020 Cisco Systems, Inc.

3 din 3 26.05.2020, 12:01