Vrrp priority, Working mode, Authentication mode – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

6

NOTE:
•

The IP address of the virtual router can be either an unused IP address on the segment where the VRRP
group resides or the IP address of an interface on a router in the VRRP group. In the latter case, the router
is called the IP address owner.

•

Only one IP address owner can be configured for a VRRP group.

•

Status of a router in a VRRP group includes master, backup, and initialize.

VRRP priority

VRRP determines the role (master or backup) of each router in a VRRP group by priority. A router with a
higher priority is more likely to become the master.
VRRP priority ranges from 0 to 255, and a greater number means a higher priority. Priorities 1 to 254 are

configurable. Priority 0 is reserved for special uses, and priority 255 is for the IP address owner. The

router that acts as the IP address owner always has the running priority 255 and acts as the master as
long as it works properly.

Working mode

A router in a VRRP group operates in either of the following modes:

•

Non-preemptive mode—When a router in the VRRP group becomes the master, it stays as the
master as long as it operates normally, even if a backup is assigned a higher priority later.

•

Preemptive mode—When a backup finds its priority higher than that of the master, the backup
sends VRRP advertisements to start a new master election in the VRRP group and becomes the
master. Accordingly, the original master becomes a backup.

Authentication mode

To avoid attacks from unauthorized users, VRRP member routers add authentication keys in VRRP packets

to authenticate one another. VRRP provides the following authentication modes:

•

simple—Simple text authentication
The sender fills an authentication key into the VRRP packet, and the receiver compares the received
authentication key with its local authentication key. If the two authentication keys are the same, the

received VRRP packet is legitimate. Otherwise, the received packet is illegitimate.

•

md5—MD5 authentication
The sender computes a digest for the packet to be sent by using the authentication key and MD5
algorithm and saves the result in the authentication header. The receiver performs the same
operation by using the authentication key and MD5 algorithm, and compares the result with the

content in the authentication header. If the results are the same, the received VRRP packet is

legitimate. Otherwise, the received packet is illegitimate.

On a secure network, you can choose not to authenticate VRRP packets.

VRRP timers

VRRP timers include VRRP advertisement interval timer and VRRP preemption delay timer.

VRRP advertisement interval timer

The master in a VRRP group periodically sends VRRP advertisements to inform the other routers in the

VRRP group that it operates properly.