Configuring Metro Features
December 2005 © Foundry Networks, Inc. 8 - 29
Configuring Authentication
If the interfaces on which you configure the VRID use authentication, the VSRP packets on those interfaces also
must use the same authentication. VSRP supports the following authentication types:
• No authentication – The interfaces do not use authentication. This is the default.
• Simple – The interfaces use a simple text-string as a password in packets sent on the interface. If the
interfaces use simple password authentication, the VRID configured on the interfaces must use the same
authentication type and the same password.
To configure a simple password, enter a command such as the following at the interface configuration level:
FastIron SuperX Router(config-if-1/6)# ip vsrp auth-type simple-text-auth ourpword
This command configures the simple text password “ourpword”.
Syntax: [no] ip vsrp auth-type no-auth | simple-text-auth <auth-data>
The auth-type no-auth parameter indicates that the VRID and the interface it is configured on do not use
authentication.
The auth-type simple-text-auth <auth-data> parameter indicates that the VRID and the interface it is configured
on use a simple text password for authentication. The <auth-data> value is the password. If you use this
parameter, make sure all interfaces on all the devices supporting this VRID are configured for simple password
authentication and use the same password.
Configuring Security Features on a VSRP-Aware Device
The VSRP-aware security feature enables you to:
• Define the specific authentication parameters that a VSRP-aware device will use on a VSRP backup switch.
The authentication parameters that you define will not age out.
• Define a list of ports that have authentic VSRP backup switch connections. For ports included in the list, the
VSRP-aware switch will process VSRP hello packets using the VSRP-aware security configuration.
Conversely, for ports not included in the list, the VSRP-aware switch will not use the VSRP-aware security
configuration.
If VSRP hello packets do not meet the acceptance criteria, the VSRP-aware device forwards the packets normally,
without any VSRP-aware security processing.
Specifying an Authentication String for VSRP Hello Packets
The following configuration defines pri-key as the authentication string for accepting incoming VSRP hello
packets. In this example, the VSRP-aware device will accept all incoming packets that have this authorization
string.
FastIron SuperX Router(config)# vlan 10
FastIron SuperX Router(config-vlan-10)# vsrp-aware vrid 3 simple-text-auth pri-key
Syntax: vsrp-aware vrid <vrid number> simple text auth <string>
Specifying no Authentication for VSRP Hello Packets
The following configuration specifies no authentication as the preferred VSRP-aware security method. In this
case, the VSRP device will not accept incoming packets that have authentication strings.
FastIron SuperX Router(config)# vlan 10
FastIron SuperX Router(config-vlan-10)# vsrp-aware vrid 2 no-auth
Syntax: vsrp-aware vrid <vrid number> no-auth
The following configuration specifies no authentication for VSRP hello packets received on ports 1/1, 1/2, 1/3, and
1/4 in VRID 4. For these ports, the VSRP device will not accept incoming packets that have authentication strings.
FastIron SuperX Router(config)# vlan 10
FastIron SuperX Router(config-vlan-10)# vsrp-aware vrid 4 no-auth port-list ethe 1/
1 to 1/4
Syntax: vsrp-aware vrid <vrid number> no-auth port-list <port range>
To Next Page
Loading...
Need help?
General
