1.In terms of function:
VRRP and HSRP are very similar, but in terms of security, VRRP has one of the main advantages of HSRP: it allows authentication mechanisms to be established between devices participating in the VRRP group. And, unlike HSRP, the virtual router cannot be the IP address of one of the routers. But VRRP allows this to happen (if the router that owns the virtual router address is up and running, it should always be managed by this virtual router - equivalent to the active router in HSRP), but to ensure that failure occurs. When the terminal host does not have to relearn the MAC address, it specifies the MAC address used 00-00-5e-00-01-VRID, where the VRID is the ID of the virtual router (equivalent to an HSRP group identifier).
2. Another difference is that VRRP does not use the coup in HSRP or an equivalent message. The state machine of VRRP is simpler than HSRP. HSRP has 6 states (initial state, learning state, and listening (Listen). State, Speak state, Standby state, Active state, and 8 events, VRRP has only 3 states (Initialize, Master, Backup) And 5 events.
3, HSRP has three types of messages, and there are three states that can send a message call (Hello) message (Resign) message mutation (Coup) message
VRRP has a type of packet, VRRP broadcast packet: the main router periodically sends out to advertise its existence. These packets can be used to detect various parameters of the virtual router and can also be used for the election of the primary router.
4. The HSRP carries the packet on the UDP packet, and the VRRP is carried on the TCP packet. (HSRP uses the UDP port 1985 to send a hello message to the multicast address 224.0.0.2.)
5. VRRP security: VRRP includes three main authentication methods: no authentication, simple plain text password, and strong authentication using MD5 HMAC IP authentication.
The strong authentication method uses the IP Authentication Header (AH) protocol. AH is the same protocol used in IPSEC, and AH provides a method for authenticating the contents and packet headers in VRRP packets? The use of MD5 HMAC indicates the use of a shared key. Used to generate hash values. The router sends a VRRP packet to generate the MD5 hash value and places it in the advertisement to be sent. When receiving, the receiver uses the same key and MD5 value to recalculate the packet content and the packet header. The hash value, if the result is the same, the message is really from a trusted host. If it is not the same, it must be discarded. This can prevent the attacker from sending a notification message that affects the selection process or other methods to interrupt the network by accessing the LAN.
Also, VRRP includes a mechanism to protect VRRP packets from being added by another remote network (setting TTL value = 255 and checking upon acceptance), which limits most of the defects that can be exploited locally. On the other hand, The TTL value used by HSRP in its messages is 1.
6, VRRP crash interval: 3 * notification interval + time lag (skew-time)
SPOTO focus on IT certification training for 16 years. Over 16 years, SPOTO helped tens of thousands of candidates achieve their Cisco CCNA, CCNP, CCIE, CISSP certification. Subscribe us and get the more news.