119 
Authentication method 
To avoid attacks from unauthorized users, VRRP member routers add authentication keys in VRRP 
packets to authenticate one another. VRRP provides the following authentication methods: 
•  Simple authentication 
The sender fills an authentication key into the VRRP packet, and the receiver compares the 
received authentication key with its local authentication key. If the two authentication keys 
match, the received VRRP packet is legitimate. Otherwise, the received packet is illegitimate 
and gets discarded. 
•  MD5 authentication 
The sender computes a digest for the packet to be sent by using the authentication key and 
MD5 algorithm, and saves the result in the VRRP packet. The receiver performs the same 
operation with the authentication key and MD5 algorithm, and compares the result with the 
content in the authentication header. If the results match, the received VRRP packet is 
legitimate. Otherwise, the received packet is illegitimate and gets discarded. 
On a secure network, you can choose to not authenticate VRRP packets. 
 
 
NOTE: 
IPv4 VRRPv3 and IPv6 VRRPv3 do not support VRRP packet authentication.  
 
VRRP timers 
Skew_Time 
Skew_Time helps avoid the situation that multiple backups in a VRRP group become the master at 
the same time when the master in the VRRP group fails.  
Skew_Time is not configurable; its value depends on the version of VRRP. 
•  In VRRPv2 (described in RFC 3768), Skew_Time is (256 – Router priority)/256. 
•  In VRRPv3 (described in RFC 5798), Skew_Time is ((256 – Router priority) × VRRP 
advertisement interval)/256. 
VRRP advertisement interval  
The master in a VRRP group periodically sends VRRP advertisements to declare its presence.  
You can configure the interval at which the master sends VRRP advertisements. If a backup does not 
receive a new VRRP advertisement from the master when the timer (3 × VRRP advertisement 
interval + Skew_Time) expires, it regards that the master has failed and takes over as the master.  
VRRP preemption delay timer 
You can configure the VRRP preemption delay timer to do the following:  
•  Avoid frequent state changes among members in a VRRP group. 
•  Provide the backups enough time to collect information (such as routing information).  
In preempt mode, a backup does not immediately become the master after it receives an 
advertisement with lower priority than the local priority. Instead, it waits for a period of time 
(preemption delay time + Skew_Time) before taking over as the master. 
Master election 
Routers in a VRRP group determine their roles by priority. When a router joins a VRRP group, it has 
a backup role. The router role changes according to the following situations: