Configuring VRRP Authentication (IPv4 Only)
VRRP (IPv4 only) protocol exchanges can be authenticated to guarantee that only trusted routing platforms participate in routing in an autonomous system (AS). By default, VRRP authentication is disabled. You can configure one of the following authentication methods. Each VRRP group must use the same method.
Simple authentication—Uses a text password included in the transmitted packet. The receiving routing platform uses an authentication key (password) to verify the packet.
Message Digest 5 (MD5) algorithm—Creates the authentication data field in the IP authentication header. This header is used to encapsulate the VRRP PDU. The receiving routing platform uses an authentication key (password) to verify the authenticity of the IP authentication header and VRRP PDU.
To enable authentication and specify an authentication
method, include the authentication-type
statement:
authentication-type authentication;
authentication can be simple or md5. The authentication type must be the same for all routing platforms in the VRRP group.
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
If you include the authentication-type
statement,
you can configure a key (password) on each interface by including
the authentication-key
statement:
authentication-key key;
key (the password) is an ASCII string. For simple authentication, it can be from 1 through 8 characters long. For MD5 authentication, it can be from 1 through 16 characters long. If you include spaces, enclose all characters in quotation marks (“ ”). The key must be the same for all routing platforms in the VRRP group.
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family inet address address vrrp-group group-id]
When VRRPv3 is enabled, the authentication-type
and authentication-key
statements cannot be configured
for any VRRP groups. Therefore, if authentication is required, you
need to configure alternative non-VRRP authentication mechanisms.