15.1.4 Authenticating ADVERTISEMENT packets
Advertisement packets are sent to the multicast destination address (224.0.0.18 for IPv4 and ff02::12 for IPv6) in the link-local scope. Virtual routers only receive packets with 255 as the TTL or hop limit in IP headers as a means of preventing remote attacks from beyond the routers. Also note that the Switch supports VRRP advertisement packet authentication that uses text passwords. When you assign a password consisting of eight or fewer characters to each virtual router, the virtual routers discard advertisement packets if the passwords do not match. The following figure shows the result when the passwords do not match.
|
|
![[Figure Data]](./GRAPHICS/ZU207050.GIF)
In this example, the password of switch B differs from that of switch A or C. Therefore, when switch A or C receives an advertisement packet from switch B, they discard it. In the case here, switch C receives and processes only the advertisement packets from switch A. This functionality prevents the operation of an illegally installed virtual router because it will fail advertisement packet authentication.