Contents

• HSRP MD5 Authentication
• Finding Feature Information
• Information About HSRP MD5 Authentication
• HSRP Text Authentication
• HSRP MD5 Authentication
• How to Configure HSRP MD5 Authentication
• Configuring HSRP MD5 Authentication Using a Key Chain
• Troubleshooting HSRP MD5 Authentication
• Configuring HSRP Text Authentication
• Configuration Examples for HSRP MD5 Authentication
• Example: Configuring HSRP MD5 Authentication Using Key Strings
• Example: Configuring HSRP MD5 Authentication Using Key Chains
• Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
• Example: Configuring HSRP Text Authentication
• Additional References
• Feature Information for HSRP MD5 Authentication

HSRP MD5 Authentication

---

• Finding Feature Information
• Information About HSRP MD5 Authentication
• How to Configure HSRP MD5 Authentication
• Configuration Examples for HSRP MD5 Authentication
• Additional References
• Feature Information for HSRP MD5 Authentication

Device> enable

Device# configure terminal

Device(config)# key chain hsrp1

Device(config-keychain)# key 100

Device(config-keychain-key)# key-string mno172

Device(config-keychain-key)# exit

Device(config-keychain)# exit

Device(config)# interface GigabitEthernet 0/0/0

Device(config-if)# ip address 10.21.8.32 255.255.255.0

Device(config-if)# standby 1 priority 110

Device(config-if)# standby 1 preempt 

Device(config-if)# standby 1 authentication md5 key-chain hsrp1

Device(config-if)# standby 1 ip 10.21.8.12

Device(config-if)# end 

Device# show standby

Device> enable

Device# debug standby errors

Device# debug standby errors

A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth failed

Device# debug standby errors

A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth failed

Device> enable

Device# configure terminal

Device(config)# interface GigabitEthernet 0/0/0

Device(config-if)# ip address 10.0.0.1 255.255.255.0

Device(config-if)# standby 1 priority 110

Device(config-if)# standby 1 preempt 

Device(config-if)# standby 1 authentication text authentication1

Device(config-if)# standby 1 ip 10.0.0.3

Device(config-if)# end 

Device# show standby

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30
Device(config-if)# standby 1 ip 10.21.0.10

Device(config)# key chain hsrp1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Device(config)# key chain hsrp1
Device(config-keychain)# key 0
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab
Device(config-if)# standby 1 ip 10.21.0.10

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication text company2
Device(config-if)# standby 1 ip 10.21.0.10

Contents

• HSRP MD5 Authentication
• Finding Feature Information
• Information About HSRP MD5 Authentication
• HSRP Text Authentication
• HSRP MD5 Authentication
• How to Configure HSRP MD5 Authentication
• Configuring HSRP MD5 Authentication Using a Key Chain
• Troubleshooting HSRP MD5 Authentication
• Configuring HSRP Text Authentication
• Configuration Examples for HSRP MD5 Authentication
• Example: Configuring HSRP MD5 Authentication Using Key Strings
• Example: Configuring HSRP MD5 Authentication Using Key Chains
• Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
• Example: Configuring HSRP Text Authentication
• Additional References
• Feature Information for HSRP MD5 Authentication

HSRP MD5 Authentication

---

• Finding Feature Information
• Information About HSRP MD5 Authentication
• How to Configure HSRP MD5 Authentication
• Configuration Examples for HSRP MD5 Authentication
• Additional References
• Feature Information for HSRP MD5 Authentication

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About HSRP MD5 Authentication

• HSRP Text Authentication
• HSRP MD5 Authentication

HSRP Text Authentication

HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is text authentication.

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device

HSRP packets will be rejected in any of the following cases:

• The authentication schemes differ on the device and in the incoming packets.

• Text authentication strings differ on the device and in the incoming packet.

HSRP MD5 Authentication

Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This functionality provides added security and protects against the threat from HSRP-spoofing software.

MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming packet does not match the generated hash, the packet is ignored.

The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through a key chain.

HSRP has two authentication schemes:

• Plain text authentication

• MD5 authentication

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device.

HSRP packets will be rejected in any of the following cases:

• The authentication schemes differ on the device and in the incoming packets.

• MD5 digests differ on the device and in the incoming packet.

• Text authentication strings differ on the device and in the incoming packet.

How to Configure HSRP MD5 Authentication

• Configuring HSRP MD5 Authentication Using a Key Chain
• Troubleshooting HSRP MD5 Authentication
• Configuring HSRP Text Authentication

Configuring HSRP MD5 Authentication Using a Key Chain

Perform this task to configure HSRP MD5 authentication using a key chain. Key chains allow a different key string to be used at different times according to the key chain configuration. HSRP will query the appropriate key chain to obtain the current live key and key ID for the specified key chain.

SUMMARY STEPS

1.    enable


2.    configure terminal


3.    key chain name-of-chain


4.    key key-id


5.    key-string string


6.    exit


7.    exit


8.    interface type number


9.    ip address ip-address mask [secondary]


10.    standby [group-number] priority priority


11.    standby [group-number] preempt [delay {minimum | reload | sync} seconds]


12.    standby [group-number] authentication md5 key-chain key-chain-name


13.    standby [group-number] ip [ip-address [secondary]]


14.    Repeat Steps 1 through 12 on each device that will communicate.

15.    end


16.    show standby

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	key chain name-of-chain Example: Device(config)# key chain hsrp1	Enables authentication for routing protocols, identifies a group of authentication keys, and enters key-chain configuration mode.
Step 4	key key-id Example: Device(config-keychain)# key 100	Identifies an authentication key on a key chain and enters key-chain key configuration mode. The value for thekey-id argument must be a number.
Step 5	key-string string Example: Device(config-keychain-key)# key-string mno172	Specifies the authentication string for a key. The value for the string argument can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a numeral
Step 6	exit Example: Device(config-keychain-key)# exit	Returns to key-chain configuration mode.
Step 7	exit Example: Device(config-keychain)# exit	Returns to global configuration mode.
Step 8	interface type number Example: Device(config)# interface GigabitEthernet 0/0/0	Configures an interface type and enters interface configuration mode.
Step 9	ip address ip-address mask [secondary] Example: Device(config-if)# ip address 10.21.8.32 255.255.255.0	Specifies a primary or secondary IP address for an interface.
Step 10	standby [group-number] priority priority Example: Device(config-if)# standby 1 priority 110	Configures HSRP priority.
Step 11	standby [group-number] preempt [delay {minimum | reload | sync} seconds] Example: Device(config-if)# standby 1 preempt	Configures HSRP preemption.
Step 12	standby [group-number] authentication md5 key-chain key-chain-name Example: Device(config-if)# standby 1 authentication md5 key-chain hsrp1	Configures an authentication MD5 key chain for HSRP MD5 authentication. The key chain name must match the name specified in Step 3.
Step 13	standby [group-number] ip [ip-address [secondary]] Example: Device(config-if)# standby 1 ip 10.21.8.12	Activates HSRP.
Step 14	Repeat Steps 1 through 12 on each device that will communicate.	—
Step 15	end Example: Device(config-if)# end	Returns to privileged EXEC mode.
Step 16	show standby Example: Device# show standby	(Optional) Displays HSRP information. Use this command to verify your configuration. The key string or key chain will be displayed if configured.

Troubleshooting HSRP MD5 Authentication

Perform this task if HSRP MD5 authentication is not operating correctly.

SUMMARY STEPS

1.    enable


2.    debug standby errors

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	debug standby errors Example: Device# debug standby errors	Displays error messages related to HSRP. Error messages will be displayed for each packet that fails to authenticate, so use this command with care.

Examples

In the following example, Device A has MD5 text string authentication configured, but Device B has the default text authentication:

Device# debug standby errors

A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth failed

In the following example, both Device A and Device B have different MD5 authentication strings:

Device# debug standby errors

A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth failed

Configuring HSRP Text Authentication

SUMMARY STEPS

1.    enable


2.    configure terminal


3.    interface type number


4.    ip address ip-address mask [secondary]


5.    standby [group-number] priority priority


6.    standby [group-number] preempt [delay {minimum | reload | sync} seconds]


7.    standby [group-number] authentication text string


8.    standby [group-number] ip [ip-address [secondary]]


9.    Repeat Steps 1 through 8 on each device that will communicate.

10.    end


11.    show standby

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	interface type number Example: Device(config)# interface GigabitEthernet 0/0/0	Configures an interface type and enters interface configuration mode.
Step 4	ip address ip-address mask [secondary] Example: Device(config-if)# ip address 10.0.0.1 255.255.255.0	Specifies a primary or secondary IP address for an interface.
Step 5	standby [group-number] priority priority Example: Device(config-if)# standby 1 priority 110	Configures HSRP priority.
Step 6	standby [group-number] preempt [delay {minimum | reload | sync} seconds] Example: Device(config-if)# standby 1 preempt	Configures HSRP preemption.
Step 7	standby [group-number] authentication text string Example: Device(config-if)# standby 1 authentication text authentication1	Configures an authentication string for HSRP text authentication. The default string is cisco.
Step 8	standby [group-number] ip [ip-address [secondary]] Example: Device(config-if)# standby 1 ip 10.0.0.3	Activates HSRP.
Step 9	Repeat Steps 1 through 8 on each device that will communicate.	--
Step 10	end Example: Device(config-if)# end	Returns to privileged EXEC mode.
Step 11	show standby Example: Device# show standby	(Optional) Displays HSRP information. Use this command to verify your configuration. The key string or key chain will be displayed if configured.

Configuration Examples for HSRP MD5 Authentication

• Example: Configuring HSRP MD5 Authentication Using Key Strings
• Example: Configuring HSRP MD5 Authentication Using Key Chains
• Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains
• Example: Configuring HSRP Text Authentication

Example: Configuring HSRP MD5 Authentication Using Key Strings

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP MD5 Authentication Using Key Chains

In the following example, HSRP queries the key chain “hsrp1” to obtain the current live key and key ID for the specified key chain:

Device(config)# key chain hsrp1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains

The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of zero, then the following configuration will work:

Device 1

Device(config)# key chain hsrp1
Device(config-keychain)# key 0
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Device 2

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP Text Authentication

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication text company2
Device(config-if)# standby 1 ip 10.21.0.10

Additional References

Related Documents

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Commands List, All Releases
HSRP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples	Cisco IOS First Hop redundancy Protocols Command Reference
HSRP for IPv6	“HSRP for IPv6” module
Troubleshooting HSRP	Hot Standby Router Protocol: Frequently Asked Questions

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	--

MIBs

MIBs	MIBs Link
CISCO-HSRP-MIB CISCO-HSRP-EXT-MIB	To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: http:/​/​www.cisco.com/​go/​mibs

RFCs

RFCs	Title
RFC 792	Internet Control Message Protocol
RFC 1828	IP Authentication Using Keyed MD5
RFC 2281	Cisco Hot Standby Router Protocol

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for HSRP MD5 Authentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for HSRP MD5 Authentication

Feature Name	Releases	Feature Information
HSRP MD5 Authentication	12.2(25)S 12.2(33)SRA 12.2(33)SXH 12.2(50)SY 12.3(2)T 15.0(1)S 15.0(1)SY Cisco IOS XE Release 2.1 Cisco IOS XE 3.1.0SG Cisco IOS XE Release 3.9S	Prior to the introduction of the HSRP MD5 Authentication feature, HSRP authenticated protocol packets with a simple plain text string. The HSRP MD5 Authentication feature is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This feature provides added security and protects against the threat from HSRP-spoofing software. The following commands were introduced or modified by this feature: show standby, standby authentication.