- Configuring GLBP
- HSRP Version 2
- FHRP—HSRP BFD Peering
- FHRP - HSRP Group Shutdown
- FHRP - HSRP MIB
- HSRP MD5 Authentication
- HSRP Support for ICMP Redirects
- HSRP Support for MPLS VPNs
- FHRP - HSRP Multiple Group Optimization
- Configuring IRDP
- Configuring VRRP
- VRRPv3 Protocol Support
- VRRPv3: Object Tracking Integration
HSRP MD5 Authentication
- Finding Feature Information
- Information About HSRP MD5 Authentication
- How to Configure HSRP MD5 Authentication
- Configuration Examples for HSRP MD5 Authentication
- Additional References
- Feature Information for HSRP MD5 Authentication
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About HSRP MD5 Authentication
HSRP Text Authentication
HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is text authentication.
HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device
HSRP packets will be rejected in any of the following cases:
HSRP MD5 Authentication
Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This functionality provides added security and protects against the threat from HSRP-spoofing software.
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming packet does not match the generated hash, the packet is ignored.
The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through a key chain.
HSRP has two authentication schemes:
HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device.
HSRP packets will be rejected in any of the following cases:
How to Configure HSRP MD5 Authentication
- Configuring HSRP MD5 Authentication Using a Key Chain
- Troubleshooting HSRP MD5 Authentication
- Configuring HSRP Text Authentication
Configuring HSRP MD5 Authentication Using a Key Chain
Perform this task to configure HSRP MD5 authentication using a key chain. Key chains allow a different key string to be used at different times according to the key chain configuration. HSRP will query the appropriate key chain to obtain the current live key and key ID for the specified key chain.
1.
enable
2.
configure
terminal
3.
key
chain
name-of-chain
4.
key
key-id
5.
key-string
string
6.
exit
7.
exit
8.
interface
type
number
9.
ip
address
ip-address
mask [secondary]
10.
standby [group-number]
priority
priority
11.
standby [group-number]
preempt [delay {minimum |
reload |
sync}
seconds]
12.
standby [group-number]
authentication
md5
key-chain
key-chain-name
13.
standby [group-number]
ip [ip-address [secondary]]
14. Repeat Steps 1 through 12 on each device that will communicate.
15.
end
16.
show
standby
DETAILED STEPS
Troubleshooting HSRP MD5 Authentication
Perform this task if HSRP MD5 authentication is not operating correctly.
1.
enable
2.
debug
standby
errors
DETAILED STEPS
Command or Action | Purpose |
---|
Examples
In the following example, Device A has MD5 text string authentication configured, but Device B has the default text authentication:
Device# debug standby errors A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd but no tlv B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth failed
In the following example, both Device A and Device B have different MD5 authentication strings:
Device# debug standby errors A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth failed B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth failed
Configuring HSRP Text Authentication
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ip
address
ip-address
mask [secondary]
5.
standby [group-number]
priority
priority
6.
standby [group-number]
preempt [delay {minimum |
reload |
sync}
seconds]
7.
standby [group-number]
authentication
text
string
8.
standby [group-number]
ip [ip-address [secondary]]
9. Repeat Steps 1 through 8 on each device that will communicate.
10.
end
11.
show
standby
DETAILED STEPS
Configuration Examples for HSRP MD5 Authentication
- Example: Configuring HSRP MD5 Authentication Using Key Strings
- Example: Configuring HSRP MD5 Authentication Using Key Chains
- Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
- Example: Configuring HSRP Text Authentication
Example: Configuring HSRP MD5 Authentication Using Key Strings
Device(config)# interface GigabitEthernet 0/0/0 Device(config-if)# standby 1 priority 110 Device(config-if)# standby 1 preempt Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30 Device(config-if)# standby 1 ip 10.21.0.10
Example: Configuring HSRP MD5 Authentication Using Key Chains
In the following example, HSRP queries the key chain “hsrp1” to obtain the current live key and key ID for the specified key chain:
Device(config)# key chain hsrp1 Device(config-keychain)# key 1 Device(config-keychain-key)# key-string 54321098452103ab Device(config-keychain-key)# exit Device(config)# interface GigabitEthernet 0/0/0 Device(config-if)# standby 1 priority 110 Device(config-if)# standby 1 preempt Device(config-if)# standby 1 authentication md5 key-chain hsrp1 Device(config-if)# standby 1 ip 10.21.0.10
Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of zero, then the following configuration will work:
Device 1
Device(config)# key chain hsrp1 Device(config-keychain)# key 0 Device(config-keychain-key)# key-string 54321098452103ab Device(config-keychain-key)# exit Device(config)# interface GigabitEthernet 0/0/0 Device(config-if)# standby 1 authentication md5 key-chain hsrp1 Device(config-if)# standby 1 ip 10.21.0.10
Device 2
Device(config)# interface GigabitEthernet 0/0/0 Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab Device(config-if)# standby 1 ip 10.21.0.10
Example: Configuring HSRP Text Authentication
Device(config)# interface GigabitEthernet 0/0/0 Device(config-if)# standby 1 priority 110 Device(config-if)# standby 1 preempt Device(config-if)# standby 1 authentication text company2 Device(config-if)# standby 1 ip 10.21.0.10
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
HSRP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS First Hop redundancy Protocols Command Reference |
HSRP for IPv6 |
“HSRP for IPv6” module |
Troubleshooting HSRP |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
MIBs |
MIBs Link |
---|---|
CISCO-HSRP-MIB CISCO-HSRP-EXT-MIB |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFCs |
Title |
---|---|
RFC 792 |
Internet Control Message Protocol |
RFC 1828 |
IP Authentication Using Keyed MD5 |
RFC 2281 |
Cisco Hot Standby Router Protocol |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for HSRP MD5 Authentication
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
HSRP MD5 Authentication |
12.2(25)S 12.2(33)SRA 12.2(33)SXH 12.2(50)SY 12.3(2)T 15.0(1)S 15.0(1)SY Cisco IOS XE Release 2.1 Cisco IOS XE 3.1.0SG Cisco IOS XE Release 3.9S |
Prior to the introduction of the HSRP MD5 Authentication feature, HSRP authenticated protocol packets with a simple plain text string. The HSRP MD5 Authentication feature is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This feature provides added security and protects against the threat from HSRP-spoofing software. The following commands were introduced or modified by this feature: show standby, standby authentication. |