HP VPN Firewall Appliances High Availability Command Reference
8
Views
Interface view
Default command level
2: System level
Usage guidelines
The master of a VRRP group periodically sends VRRP advertisements to indicate its existence. The VRRP
advertisements are multicast onto the local network segment and not forwarded by a router, and
therefore the packet TTL value will not be changed. When the master of a VRRP group advertises VRRP
packets, it sets the packet TTL to 255. After you enable TTL check on VRRP packets, when the backups of
the VRRP group receive VRRP packets, they check the packet TTL and drop the VRRP packets whose TTL
is smaller than 255 to prevent attacks from other network segments.
Because devices from different vendors might implement VRRP in a different way, when the device is
interoperating with devices of other vendors, VRRP packet TTL check might result in dropping packets that
should not be dropped. In this situation, use the vrrp un-check ttl command to disable TTL check on VRRP
packets.
Examples
# Disable TTL check on VRRP packets.
<Sysname> system-view
[Sysname] interface gigabitethernet0/1
[Sysname-GigabitEthernet0/1] vrrp un-check ttl
vrrp vrid authentication-mode
Use vrrp vrid authentication-mode to configure authentication mode and authentication key for a VRRP
group to send and receive VRRP packets.
Use undo vrrp vrid authentication-mode to restore the default.
Syntax
vrrp vrid virtual-router-id authentication-mode { md5 | simple } [ cipher ] key
undo vrrp vrid virtual-router-id authentication-mode
Default
Authentication is disabled.
Views
Interface view
Default command level
2: System level
Parameters
virtual-router-id: VRRP group number, which ranges from 1 to 255.
md5: Specifies the MD5 authentication mode.
simple: Specifies the simple authentication mode.
cipher: Sets a ciphertext authentication key.