Comparison of Two backup router protocols: HSRP and VRRP

1. in terms of functionality, VRRP and HSRP are very similar, but in terms of security, VRRP has a major advantage for HSRP: it allows devices in the VRRP group to establish authentication mechanisms. in addition, unlike HSRP, the virtual router cannot be the IP address of one of the routers, but VRRP allows this situation (if the "vro with" vro address "is created and is running, it should always be managed by this vro-equivalent to the active vro in HSRP), but to ensure that the terminal host does not have to learn the MAC address again in case of failure, it specifies the MAC address 00-00-5e-00-01-VRID used. The VRID here is the ID of the vro (equivalent to a group ID of HSRP ).

2. another difference is that VRRP does not use the coup in HSRP or an equivalent message. VRRP has a simpler state machine than HSRP, and HSRP has six States (Initial), Learn) status, Listen status, Speak status, Standby status, Active status, and 8 events, VRRP has only three States (Initialize), Master, Backup, and five events.

3. HSRP has three types of messages, and three statuses can be used to send messages: Call (Hello) message, Resign message, and Coup message.

VRRP has a message

VRRP broadcast packet: the existence of VRRP is regularly published by the primary router. Using these packets can detect various vro parameters and be used for primary router election.

4. HSRP carries the packets on UDP packets, while VRRP carries the TCP packets (HSRP uses UDP port 1985 to send hello messages to the multicast address 224.0.0.2 .)

5. VRRP security: VRRP protocol includes three main authentication methods: no authentication, simple plaintext password and strong authentication using MD5 HMAC ip.

The IP Authentication Header (AH) protocol is used for strong authentication. AH is the same protocol used in IPSEC. AH provides a method to authenticate the content and header of VRRP groups. the use of MD5 HMAC indicates that a shared key is used to generate the hash value. the router sends a VRRP group to generate an MD5 hash value and place it in the notification to be sent. When receiving the packet, the receiver uses the same key and MD5 value, re-calculate the hash value of the group content and group header. If the result is the same, the message actually comes from a trusted host. If it is different, it must be discarded, this prevents attackers from sending announcements that may affect the selection process by accessing the LAN, or by using other methods to interrupt the network.

In addition, VRRP includes a mechanism to protect VRRP groups from being added to another remote network (set TTL to 255 and check when accept ), this limits most of the defects of local attacks. on the other hand, the TTL value used by HSRP in its messages is 1.

6. VRRP crash interval: 3 * notification interval + time delay (skew-time ).

1. Cisco certification Area
2. CCNP class-PBR + SLA configuration instance
3. CCNP lab device considerations