Vrrp priority, Working mode, Authentication mode – H3C Technologies H3C SecPath F1000-E User Manual

3

VRRP priority

VRRP determines the role (master or backup) of each router in the VRRP group by priority. A router with

a higher priority has more opportunity to become the master.
VRRP priority is in the range of 0 to 255. A bigger number means a higher priority. Priorities 1 to 254 are

configurable. Priority 0 is reserved for special uses and priority 255 for the IP address owner. When a

router acts as the IP address owner, its priority is always 255. That is, the IP address owner in a VRRP

group acts as the master as long as it works properly.

Working mode

A router in a VRRP group works in one of the following two modes:

•

Non-preemptive mode

When a router in the VRRP group becomes the master, it stays as the master as long as it operates

normally, even if a backup is assigned a higher priority later.

•

Preemptive mode

When a backup finds its priority higher than that of the master, the backup sends VRRP advertisements
to start a new master election in the VRRP group and becomes the master. Accordingly, the original

master becomes a backup.

Authentication mode

To avoid being attacked by unauthorized users, VRRP authenticates the received packets by adding

authentication keys into the packets. VRRP provides two authentication modes:

•

simple: Simple text authentication

A router sending a packet fills an authentication key into the packet, and the router receiving the packet

compares its local authentication key with that of the received packet. If the two authentication keys are

the same, the received VRRP packet is considered real and valid; otherwise, the received packet is

considered invalid.

•

md5: MD5 authentication

The router computes the digest of a packet to be sent using the authentication key and MD5 algorithm
and saves the result in the authentication header. The router receiving the packet performs the same

operation using the authentication key and MD5 algorithm, and compares the result with the content in

the authentication header. If the results are the same, the router receiving the packet considers the packet

an authentic and valid VRRP packet; otherwise, the router considers the packet invalid.
On a secure network, you do not need to set the authentication mode.

VRRP Timers

VRRP timers include VRRP advertisement interval timer and VRRP preemption delay timer.

VRRP advertisement interval timer

The master in a VRRP group sends VRRP advertisements periodically to inform the other routers in the

VRRP group that it operates properly.
You can adjust the interval for sending VRRP advertisements by setting the VRRP advertisement interval
timer. If a backup receives no advertisements in a period three times the interval, the backup regards itself

as the master and sends VRRP advertisements to start a new master election.