This topic is to discuss the following lesson:
One quick Question if there is any mismatch in the authentication … in first place it should not forward packets at all ? we could see some packets are being forwarded … could you please explain.
Believe it or not, what you are seeing is expected behavior from VRRP! If the authentication is not correct from a VRRP neighbor, then its packets get ignored. Each side will claim the other has incorrect authentication, so each VRRP router believes itself to be the master, and each will claim to own the IP address! The only upside to this is that assuming each side is using the same VRRP instance number, the MAC address will agree between them, so other computers on the network would have no idea this is going on. Additionally, should one of the VRRP mismatch routers fail, the VRRP IP will remain up–so you will achieve fault-tolerance by accident.
By the way, besides an authentication mismatch, the same thing will happen should the VRRP timers not match as well.
This goes to show you how useless authentication is with VRRP. The whole point of authentication is to stop a rogue device from claiming to be the virtual IP, but clearly it doesn’t matter.
Below is a sample VRRP output from two routers in this situation, notice how they disagree on the IP of the Master Router
R1#sh vrrp FastEthernet0/0 - Group 1 State is Master Virtual IP address is 10.0.0.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string Master Router is 10.0.0.252 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
R2#sh vrrp FastEthernet0/0 - Group 1 State is Master Virtual IP address is 10.0.0.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.0.0.253 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
Thanks a lot for your detailed explanation on the vrrp authentication.
Let us assume authentication is proper & timers also. Suppose the VRRP keepalive messages are not able to reach each other due to any random reason, in that case both should be active & active.
So will they forward packets or not?
Yes, if that is the case, both devices will become active, and any packets arriving at a device will be forwarded. But, if for whatever reason the redundant gateways can’t reach each other, that means that hosts will also have trouble reaching one of the gateways for the same reason. Remember that redundant gateways and hosts are all on the same subnet. If communication between gateways somehow fails, then communication will also fail between hosts and one or more of the redundant gateways.
So in most cases, even if both gateways become active, the same network fault that caused the failure will also cause hosts not to reach one of the two or more gateways.
I hope this has been helpful!