This topic is to discuss the following lesson:
One quick Question if there is any mismatch in the authentication … in first place it should not forward packets at all ? we could see some packets are being forwarded … could you please explain.
Believe it or not, what you are seeing is expected behavior from VRRP! If the authentication is not correct from a VRRP neighbor, then its packets get ignored. Each side will claim the other has incorrect authentication, so each VRRP router believes itself to be the master, and each will claim to own the IP address! The only upside to this is that assuming each side is using the same VRRP instance number, the MAC address will agree between them, so other computers on the network would have no idea this is going on. Additionally, should one of the VRRP mismatch routers fail, the VRRP IP will remain up–so you will achieve fault-tolerance by accident.
By the way, besides an authentication mismatch, the same thing will happen should the VRRP timers not match as well.
This goes to show you how useless authentication is with VRRP. The whole point of authentication is to stop a rogue device from claiming to be the virtual IP, but clearly it doesn’t matter.
Below is a sample VRRP output from two routers in this situation, notice how they disagree on the IP of the Master Router
R1#sh vrrp FastEthernet0/0 - Group 1 State is Master Virtual IP address is 10.0.0.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string Master Router is 10.0.0.252 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
R2#sh vrrp FastEthernet0/0 - Group 1 State is Master Virtual IP address is 10.0.0.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.0.0.253 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
Thanks a lot for your detailed explanation on the vrrp authentication.