VRRP (IPv4 only) protocol exchanges can be authenticated to guarantee that only trusted routing platforms participate in routing in an autonomous system (AS). By default, VRRP authentication is disabled. You can configure one of the following authentication methods. Each VRRP group must use the same method.
- Simple authentication—Uses a text password included in the transmitted packet. The receiving routing platform uses an authentication key (password) to verify the packet.
- Message Digest 5 (MD5) algorithm—Creates the authentication data field in the IP authentication header. This header is used to encapsulate the VRRP PDU. The receiving routing platform uses an authentication key (password) to verify the authenticity of the IP authentication header and VRRP PDU.
To enable authentication and specify an authentication method, include the authentication-type
statement:
content_copy zoom_out_map
authentication-type authentication;
authentication can be simple or md5. The authentication type must be the same for all routing platforms in the VRRP group.
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
If you include the authentication-type
statement, you can configure a key (password) on each interface by including the authentication-key
statement:
content_copy zoom_out_map
authentication-key key;
key (the password) is an ASCII string. For simple authentication, it can be from 1 through 8 characters long. For MD5 authentication, it can be from 1 through 16 characters long. If you include spaces, enclose all characters in quotation marks (“ ”). The key must be the same for all routing platforms in the VRRP group.
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
Note:
When VRRPv3 is enabled, the authentication-type
and authentication-key
statements cannot be configured for any VRRP groups. Therefore, if authentication is required, you need to configure alternative non-VRRP authentication mechanisms.
The VRRP authentication type is not a parameter specific to the virtual router. VRRP uses the authentication type associated with the interfaces on which the virtual router is defined.
If your interfaces do not use authentication, neither does VRRP. For example, if you configure your device interfaces to use an MD5 password to authenticate traffic, VRRP uses the same MD5 password, and VRRP packets that do not contain the password are dropped.
In summary, if the interfaces on which you configure the virtual router use authentication, the VRRP or VRRP Extended (VRRP-E) packets on those interfaces must use the same authentication.
The following VRRP and VRRP-E authentication types are supported:
- No authentication—The interfaces do not use authentication. …
- Simple—The interfaces use a simple text string as a password in packets that they send. …
- MD5—This method of authentication ensures that the packet is authentic and cannot be modified in transit.