Using Able Authentication
The easiest way to partly abate the advance is to use able authentication. It is easy
because it involves a distinct agreement band in all adept and advancement routers. Cisco
routers and switches active 12.3(14)T and aloft can use a bulletin abstract algorithm 5
(MD5) Hash-based Bulletin Affidavit Code (HMAC) to accredit all VRRP
packets after anytime sending the key in the clear. Example 10-2 shows the syntax to use
when application the preshared key of SeCrET. (Note that this is a Cisco addendum to VRRP,
which is easier to arrange than the abounding AH affidavit of IPsec.)
Using MD5 to Accredit VRRP Messages
interface FastEthernet0/0
ip abode 192.168.0.7 255.255.255.0
vrrp 1 ip 192.168.0.7
vrrp 1 affidavit md5 key-string SeCrET
With this syntax, an antagonist has no way to ascertain the preshared key. Therefore, an
attacker is clumsy to accelerate artificial VRRP letters that the absolute VRRP routers acquire and
process. However, preventing an antagonist from accomplishment a new VRRP bulletin is not enough.
If the antagonist sniffs a VRRP advertisement from the adept router back the adept router
is down, the antagonist can artlessly epitomize the sniffed adept advertisement to become the new
master.
NOTE VRRP is hardly added defended than HSRP because, if one router has the basic IP address
assigned to its interface, it consistently has the accomplished priority. Therefore, no one can become
the adept back the absolute adept is alive.