Configuring Vrrp Security; Establishing The Configuration Task - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Reliability

7.6 Configuring VRRP Security

On a network at security risks, by configuring an authentication mode of VRRP packets, you
can protect devices against attacks.

7.6.1 Establishing the Configuration Task

Before configuring VRRP security authentication, familiarize yourself with the applicable
environment and complete pre-configuration task of configuring a VRRP backup group.
Applicable Environment
In a secure network, by default, the switch considers received and sent VRRP packets real and
valid without authenticating them. In this case, you need not configure an authentication key.
VRRP provides simple text authentication and MD5 authentication for networks that are
vulnerable to attacks. In simple text authentication mode, a string of 1 to 8 characters can be
configured as the authentication key. In MD5 authentication mode, a string of 1 to 8 characters
in plain text or a string of 24 characters in encrypted text can be configured as the authentication
key.
The process of simple text authentication is as follows:
l
l
The process of MD5 authentication is as follows:
l
l
Pre-configuration Tasks
Before configuring the VRRP security function, complete the following tasks:
l
l
Issue 01 (2011-10-26)
MasterPriority : 90
Preempt : YES Delay Time : 0
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-010a
Check TTL : YES
Config type : normal-vrrp
Config track link-bfd down-number : 0
Track BFD : 1 Priority reduced : 10
BFD-session state : UP
Device that sends packets adds the authentication key into VRRP packets.
Device that receives packets compares the received authentication key with the local
authentication key. If they are the same, VRRP packets are valid. Otherwise, the switch
discards the received VRRP packets and sends a Trap packet to the Network Management
System (NMS).
The switch adds the authentication key to the VRRP packet.
The receiver generates a summary based on the locally configured authentication key and
compares the summary of the received VRRP packet with the locally generated summary.
If they are the same, the receiver considers the received VRRP packet valid. Otherwise,
the receiver considers the received VRRP packet illegal and discards it, and then reports a
trap message to the network management system.
Configuring network layer attributes for interfaces to connect the network
Configuring the VRRP backup group
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 VRRP and VRRP6 Configuration
331