2.3.1 Authentication

Information

You can ensure that VRRP messages received from VRRP routers that comprise a virtual router are authenticated by configuring a simple text password.

This is part of the VRRP authentication setup

Solution

Configure VRRP with the appropriate password.

IOSXR(config)#router vrrp
IOSXR(config-vrrp)#interface {interface}
IOSXR(config-vrrp-if)#address-family ipv4
IOSXR(config-vrrp-address-family)#vrrp {virtual_router_id}
IOSXR(config-vrrp-virtual-router)#text-authentication {password}

Impact:

An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the master virtual router fails.

If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router functions as a master virtual router.

Priority also determines if a VRRP router functions as a backup virtual router and determines the order of ascendancy to becoming a master virtual router if the master virtual router fails. You can configure the priority of each backup virtual router with a value of 1 through 254, using the vrrp priority command.

For example, if Router A, the master virtual router in a LAN topology, fails, an election process takes place to determine if backup virtual Routers B or C should take over. If Routers B and C are configured with the priorities of 101 and 100, respectively, Router B is elected to become master virtual router because it has the higher priority. If Routers B and C are both configured with the priority of 100, the backup virtual router with the higher IP address is elected to become the master virtual router.

By default, a preemptive scheme is enabled whereby a higher-priority backup virtual router that becomes available takes over for the backup virtual router that was elected to become master virtual router. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the backup virtual router that is elected to become master virtual router remains the master until the original master virtual router recovers and becomes master again.

See Also

https://workbench.cisecurity.org/benchmarks/10473

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7

Plugin: Cisco

Control ID: e3b618a1e34d74fffd8bb1b59f1e56ef89f598909d23ddc0dbc6e523a84b5755