{Cisco CCNP RS} Comparison between VRRP and HSRP


Virtual Router Redundancy Protocol (VRRP) is a routing protocol proposed by IETF to solve the single-point failure of static gateway configuration in LAN. In 1998, the formal RFC2338 Protocol Standard was launched. Hot Standby Router Protocol (HSRP) is a unique technology of Cisco platform and a private protocol of Cisco.

  1. VRRP and HSRP are very similar in function, but in terms of safety, one of the main advantages of VRRP to HSRP is that it allows the establishment of an authentication mechanism between devices participating in the VRRP group. And unlike HSRP, which requires that the virtual router cannot be the IP address of one of the routers, VRRP allows this to happen (if the router that “owns” the virtual router address is established and running, it should always be managed by this virtual router – equivalent to the active router in HSRP), but in order to ensure that the terminal host does not have to relearn the MAC address in case of failure, It specifies the MAC address 00-00-5e-00-01-VRID  to be used, where VRID is the ID of the virtual router (equivalent to the group identifier of an HSRP).
  2. Another difference is that VRRP does not use the coup or an equivalent message in HSRP. The state machine of VRRP is simpler than that of HSRP. HSRP has 6 states (initial state, learn state, listen state, speak state, standby state and active state) and 8 events. VRRP has only 3 states (initial state, master state, backup state) and 5 events.

encor dumps free online

  1. HSRP has three kinds of messages, and three states can send messages

(Hello) message, (Resign) message, (Coup) message  VRRP has a kind of message which is VRRP broadcast message: the main router sends it regularly to announce its existence. These messages can be used to detect various parameters of the virtual router, and can also be used for the election of the main router.

  1. HSRP carries the message on UDP message, while VRRP carries the TCP message (HSRP uses UDP 1985 port to send Hello message to multicast address
  2. VRRP Security: VRRP protocol includes three main authentication methods: no authentication, simple plaintext password and strong authentication using MD5 HMAC IP authentication. The strong authentication method uses the IP authentication header (AH) protocol. AH is the same protocol used in IPSEC. AH provides a method for authenticating the contents and packet headers in VRRP packets. The use of MD5 HMAC indicates that a shared key is used to generate hash values. The router sends a VRRP packet to generate an MD5 hash value, and puts it in the notification to be sent. When receiving, the receiver uses the same key and MD5 value to recalculate the hash value of the packet content and packet header. If the results are the same, the message really comes from a trusted host. If not, it must be discarded, which can prevent attackers from sending notification messages that can affect the selection process or other methods to interrupt the network by accessing the LAN.

In addition, VRRP includes a mechanism to protect VRRP packets from being added by another remote network (set TTL value =255 and check when accepting), which limits most defects that can be attacked locally. On the other hand, HSRP uses a TTL value of 1 in its messages.

  1. Crash interval of VRRP: 3 * notification interval + skew-time

ccnp 9tut



Please enter your comment!
Please enter your name here