Vrrp priority, Working mode, Authentication mode – H3C Technologies H3C SR8800 User Manual
Page 52: Vrrp timers, Vrrp advertisement interval timer
43
NOTE:
•
The IP address of the virtual router can be either an unused IP address on the segment where the VRRP
group resides or the IP address of an interface on a router in the VRRP group. In the latter case, the router
is called the IP address owner.
•
Only one IP address owner can be configured for a VRRP group.
•
Status of a router in a VRRP group includes master, backup, and initialize.
VRRP priority
VRRP determines the role (master or backup) of each router in a VRRP group by priority. A router with a
higher priority is more likely to become the master.
VRRP priority is in the range of 0 to 255. The greater the number, the higher the priority. Priorities 1 to
254 are configurable. Priority 0 is reserved for special uses and priority 255 for the IP address owner.
When a router acts as the IP address owner, its running priority is always 255. That is, the IP address
owner in a VRRP group acts as the master as long as it works properly.
Working mode
A router in a VRRP group works in either of the following modes:
•
Non-preemptive mode—When a router in the VRRP group becomes the master, it stays as the
master as long as it operates normally, even if a backup is assigned a higher priority later.
•
Preemptive mode—When a backup finds its priority higher than that of the master, the backup
sends VRRP advertisements to start a new master election in the VRRP group and becomes the
master. Accordingly, the original master becomes a backup.
Authentication mode
To avoid attacks from unauthorized users, VRRP adds authentication keys into packets for authentication.
VRRP provides the following authentication modes:
•
simple—Simple text authentication
A router sending a packet fills an authentication key into the packet, and the router receiving the
packet compares its local authentication key with that of the received packet. If the two
authentication keys are the same, the received VRRP packet is considered legitimate. Otherwise,
the received packet is considered invalid.
•
md5—MD5 authentication
A router computes the digest of a packet to be sent by using the authentication key and MD5
algorithm and saves the result in the authentication header. The router that receives the packet
performs the same operation by using the authentication key and MD5 algorithm, and compares
the result with the content in the authentication header. If the results are the same, the router that
receives the packet considers the packet an authentic and valid VRRP packet. Otherwise, the
router considers the packet invalid.
On a secure network, you can choose not to set the authentication mode.
VRRP timers
VRRP timers include VRRP advertisement interval timer and VRRP preemption delay timer.
VRRP advertisement interval timer
The master in a VRRP group periodically sends VRRP advertisements to inform the other routers in the
VRRP group that it operates properly.