Downloads |
Table Of Contents
Information About FHRP—VRRP Enhancements
Virtual Router Redundancy Protocol
Authentication Support for VRRP Groups
Integrated Routing and Bridging
Bridge-Group Virtual Interface
VRRP Support for Integrated Routing and Bridging
How to Configure FHRP—VRRP Enhancements
Configuring VRRP Support for Text-String Authentication
Configuring VRRP Support for MD5 Authentication
Configuring MD5 Authentication Using Key Strings
Configuring MD5 Authentication Using Key Chains
Verifying the VRRP MD5 Authentication Configuration
Configuring IRB and VRRP Support for IRB
Enabling BVI Bridging and Configuring a BVI Group
Configuring the BVI Interface and Enabling VRRP Support on the BVI for IRB
Enabling IRB on the Interfaces
Configuration Examples for FHRP—VRRP Enhancements
MD5 Authentication Configuration Using a Key String: Example
MD5 Authentication Configuration Using a Key Chain: Example
IRB and VRRP with MD5 Key-Chain Authentication Configuration: Example
IRB and Bridge-Group Configuration: Example
BVI Interface and VRRP with MD5 Key-Chain Configuration for IRB: Example
IRB Bridge Group on an Interface Configuration: Example
FHRP—VRRP Enhancements
The First-Hop Redundancy Protocol (FHRP)—VRRP Enhancements feature adds support for the following capabilities:
•
Message Digest 5 (MD5) Authentication—Added to routers that are configured for Virtual Router Redundancy Protocol (VRRP), similar to the Hot Standby Router Protocol (HSRP) to provide a method of authenticating peers using a more simple method than the method in RFC 2338.
•
History for the FHRP—VRRP Enhancements Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
Information About FHRP—VRRP Enhancements
To configure the FHRP—VRRP Enhancements feature, you should understand the following concepts:
•
•
•
•
Virtual Router Redundancy Protocol
The Virtual Router Redundancy Protocol (VRRP) is a protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to use the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual-router master with the other routers acting as backups in case of the failure of the master router.
Hot Standby Router Protocol
IP routing redundancy is designed to allow for transparent fail-over at the first-hop IP router. Both Hot Standby Router Protocol (HSRP) and VRRP enable two or more devices to work together in a group, sharing a single IP address, the virtual IP address. The virtual IP address is configured in each end-user workstation as a default gateway address and is cached in the host Address Resolution Protocol (ARP) cache.
In an HSRP or VRRP group, one router is elected to handle all requests sent to the virtual IP address. With HSRP, this is the active router. An HSRP group has one active router, at least one standby router, and perhaps many listening routers. A VRRP group has one master router and one or more backup routers
Authentication Support for VRRP Groups
Authentication allows each VRRP group member to use text strings or MD5 authentication for security. MD5 provides greater security than the alternative plain-text authentication, because it enables each group member to use a secret key to generate an MD5 hash of a part of an outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored. The MD5 key can be configured using a key string or key chain.
With this release, MD5 has been added for VRRP groups so that routers in the group can authenticate peers using a more simple method than the method in RFC 2338.
Integrated Routing and Bridging
Integrated routing and bridging (IRB) makes it possible to route a specific protocol between routed interfaces and bridge groups, or route a specific protocol between bridge groups. Local or unroutable traffic can be bridged among the bridged interfaces in the same bridge group, while routable traffic can be routed to other routed interfaces or bridge groups. Figure 1 illustrates how IRB in a router interconnects a bridged network with a routed network.
Figure 1 IRB Connecting a Bridged Network with a Routed Network
Cisco IOS software can be configured to route a specific protocol between routed interfaces and bridge groups or to route a specific protocol between bridge groups. Specifically, local or unroutable traffic is bridged among the bridged interfaces in the same bridge group, while routable traffic is routed to other routed interfaces or bridge groups. Using IRB, you can do the following:
•
•
•
Bridge-Group Virtual Interface
In IRB, a bridge-group virtual interface (BVI) is used to avoid confusing the protocol configuration model when a specific protocol is both bridged and routed in a bridge group. Figure 2 illustrates the BVI as a user-configured virtual interface residing within a router.
Figure 2 BVI in a Router
A BVI does not support bridging, but does represent its corresponding bridge group to the routed interface. It has all the network layer attributes (such as a network layer address and filters) that apply to the corresponding bridge group. The interface number assigned to the BVI corresponds to the bridge group that the BVI represents. This number is the link between the virtual interface and the bridge group.
When routing is enabled for a given protocol on a BVI, packets coming from a routed interface, but destined for a host in a bridged domain, are routed to the BVI and are forwarded to the corresponding bridged interface. All traffic routed to the BVI is forwarded to the corresponding bridge group as bridged traffic. All routable traffic received on a bridged interface is routed to other routed interfaces as if it is coming directly from the BVI.
To receive routable packets arriving on a bridged interface but destined for a routed interface or to receive routed packets, the BVI must also have the appropriate addresses. The BVI borrows a MAC address of one of the bridged interfaces in the bridge group associated with the BVI. To route and bridge a given protocol in the same bridge group, the network layer attributes of the protocol on the BVI must be configured. No protocol attributes should be configured on the bridged interfaces, and no bridging attributes can be configured on the BVI.
Note
Because there can be only one BVI representing a bridge group, and the bridge group can be made up of different media types configured for several different encapsulation methods, the BVI may need to be configured with the particular encapsulation methods required to switch packets correctly. For example, the BVI has default data link and network layer encapsulations that are the same as those available on Ethernet interfaces, but the BVI can be configured with encapsulations that are not supported on an Ethernet interface.
In some cases, the default encapsulations provide appropriate results; in other cases they do not. For example, with default encapsulation, Advanced Research Projects Agency (ARPA) packets from the BVI are translated to Subnetwork Access Protocol (SNAP) when bridging IP to a Token Ring- or FDDI-bridged interface. But for Internet Packet Exchange (IPX), Novell-ether encapsulation from the BVI is translated to raw-token or raw-FDDI when bridging IPX to a Token Ring- or FDDI-bridged interface. Because this behavior is usually not what you want, IPX SNAP or Service Advertisement Protocol (SAP) encapsulation must be configured on the BVI. Refer to "Configuring Transparent Bridging Technology Overview" chapter of the Cisco IOS Bridging and IBM Networking Configuration Guide for more information on IRB.
VRRP Support for Integrated Routing and Bridging
For redundancy, the BVIs are configured for HSRP or VRRP to prevent a single point of failure. In Cisco IOS Release 12.3(14)T, configuration of VRRP on BVIs has been added and is similar to the existing HSRP support for BVIs.
How to Configure FHRP—VRRP Enhancements
This section contains the following procedures:
•
•
•
Configuring VRRP Support for Text-String Authentication
Perform this task to configure text-string authentication for VRRP groups.
Restrictions
Interoperability with vendors who may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring VRRP Support for MD5 Authentication
This section contains the following procedures that show how to configure VRRP support for MD5 authentication:
•
•
•
Configuring MD5 Authentication Using Key Strings
Perform this task to configure MD5 authentication for VRRP groups using a key string.
Restrictions
Interoperability with vendors who may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring MD5 Authentication Using Key Chains
Perform this task to configure MD5 authentication for VRRP groups using a key chain.
Restrictions
Interoperability with vendors who may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Verifying the VRRP MD5 Authentication Configuration
To verify the MD5 authentication configuration, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Step 1
Use this command to verify that the authentication is configured correctly, for example:
Router# show vrrpEthernet0/1 - Group 1State is MasterVirtual IP address is 10.21.0.10Virtual MAC address is 0000.5e00.0101Advertisement interval is 1.000 secPreemption is enabledmin delay is 0.000 secPriority is 100Authentication MD5, key-string "f00d4s"Master Router is 10.21.0.1 (local), priority is 100Master Advertisement interval is 1.000 secMaster Down interval is 3.609 secThis output shows that MD5 authentication is configured with the f00d4s key string.
Step 2
Use this command to verify that both routers have authentication configured, that the MD5 key ID is the same on each router, and the MD5 key strings are the same on each router, for example:
Router# debug vrrp authenticationVRRP: Grp 1 Advertisement from 10.24.1.1 has incorrect authentication type 0 expected 254!MD5 key IDs differ on each router.VRRP: Grp 1 recalculate MD5 digest: "3n};oHp8_)_7¯C"VRRP: Grp 1 Advertisement from 10.24.1.1 has FAILED MD5 authentication!The MD5 key strings differ on each router.VRRP: Grp 1 received MD5 digest:"_M_^uMiWo^|t?t2m"VRRP: Grp 1 Advertisement from 10.24.1.1 has FAILED MD5 authentication!The text authentication strings differ on each router.VRRP: Grp 1 Advertisement from 172.24.1.1 has FAILED TEXT authenticationConfiguring IRB and VRRP Support for IRB
This section contains the following procedures:
•
•
•
Enabling BVI Bridging and Configuring a BVI Group
Perform this task to enable BVI bridging and to configure a BVI group.
Due to the forwarding delay that is associated with the initialization of a BVI interface, it is necessary to set the VRRP advertise timer to a value equal to or greater than the forwarding delay on the BVI interface. This setting prevents a VRRP router on a recently initialized BVI interface from unconditionally taking over the master role. See the "Configuring the BVI Interface and Enabling VRRP Support on the BVI for IRB" section.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
bridge irb
Example:Router(config)# bridge irb
Enables the Cisco IOS software to route a given protocol between routed interfaces and bridge groups or to route a given protocol between bridge groups.
Step 4
bridge bridge-group protocol {dec | ibm | ieee | vlan-bridge}
Example:Router(config)# bridge 100 protocol ieee
Defines the type of Spanning Tree Protocol (STP). The argument and keywords are as follows:
•
•
•
•
•
Note
Step 5
bridge bridge-group route protocol {appletalk | cln | decnet | ip | ipx}
Example:Router(config)# bridge 100 route ip
Enables the routing of a specified protocol in a specified bridge group. The arguments and keywords are as follows:
•
•
–
–
–
–
–
Step 6
bridge bridge-group forward-time seconds
Example:Router(config)# bridge 100 forward-time 4
Sets the forward-delay interval for the bridge group. The arguments are as follows:
•
•
Note
Step 7
end
Example:Router(config)# end
Ends the configuration.
Configuring the BVI Interface and Enabling VRRP Support on the BVI for IRB
Perform this task to configure the BVI interfaces.
The BVI interface does not appear in a router configuration until it is created by using the interface command. The number that is used to create the BVI must be the same number as the bridge group. For example, specify BVI 100 as the interface type and number with the interface command to create the BVI to be used with bridge-group 100.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
interface type number
Example:Router(config)# interface bvi 100
Configures a BVI and enters interface configuration mode.
Note
Step 4
ip address ip-address mask [secondary]
Example:Router(config-if)# ip address 10.2.3.2 255.0.0.0
Specifies the IP address of the interface and the associated subnet. The arguments and keyword are as follows:
•
•
Step 5
vrrp group ip ip-address [secondary]
Example:Router(config-if)# vrrp 100 ip 10.24.1.254
Enables VRRP on an interface and identifies the IP address of the virtual router. The arguments and keyword are as follows:
•
•
•
Step 6
vrrp group priority level
Example:Router(config-if)# vrrp 1 priority 110
Assigns a priority level to the VRRP group. The arguments are as follows:
•
•
Step 7
vrrp group authentication md5 key-chain key-chain
Example:Router(config-if)# vrrp 1 authentication md5 key-chain vrrp1
Specifies either a text authentication or MD5 authentication to the VRRP group. The arguments and keywords are as follows:
•
•
•
Note
Step 8
vrrp group timers advertise [seconds | msec msec] | learn]
Example:Router(config-if)# vrrp 100 timers advertise 4
Configures the interval between successive advertisements by the master virtual router in a VRRP group. The arguments and keywords are as follows:
•
•
•
•
Note
Step 9
no shutdown
Example:Router(config-if) no shutdown
Restarts the disabled interface configured in Step 3.
Step 10
end
Example:Router(config)# end
Ends the configuration
Enabling IRB on the Interfaces
Perform this task to enable IRB on the interfaces.
Prerequisites
The bridge associated with the BVI interfaces must have the forwarding delay time set to its minimum value of 4 seconds with the bridge forward-time command.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Configuration Examples for FHRP—VRRP Enhancements
This section contains the following configuration examples:
•
•
•
MD5 Authentication Configuration Using a Key String: Example
The following example shows how to configure MD5 authentication using a key string:
interface Ethernet0/1description my-cat5a-7/10vrrp 1 ip 10.21.0.10vrrp 1 priority 110vrrp 1 authentication md5 key-string f00c4sMD5 Authentication Configuration Using a Key Chain: Example
The following example shows how to configure MD5 authentication using a key chain:
key chain vrrp1key 1key-string f00c4sexit!interface ethernet0/1description my-cat5a-7/10vrrp 1 ip 10.21.0.10vrrp 1 priority 110vrrp 1 authentication md5 key-chain vrrp1In this example, VRRP queries the key chain to obtain the current live key and key ID for the specified key chain.
IRB and VRRP with MD5 Key-Chain Authentication Configuration: Example
This section contains the following examples:
•
•
•
IRB and Bridge-Group Configuration: Example
The following example shows how to enable IRB:
bridge irb!bridge 100 protocol ieeebridge 100 route ipbridge 100 forward-time 4BVI Interface and VRRP with MD5 Key-Chain Configuration for IRB: Example
The following example shows how to configure a BVI interface for IRB, and VRRP with MD5 key-chain authentication:
interface BVI100ip address 10.24.1.1 255.255.255.0vrrp 1 ip 10.24.1.254vrrp 1 timers advertise 4vrrp 1 priority 200vrrp 1 authentication md5 key-chain vrrp1vrrp 100 ip 10.0.0.1vrrp 100 timers advertise 4IRB Bridge Group on an Interface Configuration: Example
The following example shows how to enable the BVI bridge group on an interface:
interface ethernet0/1bridge-group 100!interface ATM4/0/0bridge-group 100Additional References
The following sections provide references related to the FHRP—VRRP Enhancements feature.
Related Documents
IP addressing and services configuration tasks
Cisco IOS IP Configuration Guide, Release 12.3
IP addressing and services commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3T
IRB overview and configuration tasks
Integrated Routing and Bridging (IRB) Support for the Cisco MGX-RPM-XF-512, Cisco Release 12.3(14)T
"Configuring Transparent Bridging Technology Overview" chapter of the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2
Bridging and switching overview and configuration tasks
Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.3
Cisco IOS Switching Services Configuration Guide, Release 12.3
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents one new command and modified commands only.
New Commands
Modified Commands
debug vrrp authentication
To display debugging messages for Virtual Router Redundancy Protocol (VRRP) Message Digest 5 (MD5) authentication, use the debug vrrp authentication command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug vrrp authentication
no debug vrrp authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following sample output shows that MD5 authentication is enabled on one router but not the other:
Router# debug vrrp authenticationVRRP: Grp 1 Advertisement from 172.24.1.1 has incorrect authentication type 0 expected 254
