Published On: August 6ᵗʰ, 2019 02:05

First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE Release 3S

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About HSRP MD5 Authentication

HSRP Text Authentication

HSRP ignores unauthenticated HSRP protocol messages. The default authentication type is text authentication.

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device

HSRP packets will be rejected in any of the following cases:

  • The authentication schemes differ on the device and in the incoming packets.

  • Text authentication strings differ on the device and in the incoming packet.

HSRP MD5 Authentication

Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This functionality provides added security and protects against the threat from HSRP-spoofing software.

MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming packet does not match the generated hash, the packet is ignored.

The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through a key chain.

HSRP has two authentication schemes:

  • Plain text authentication

  • MD5 authentication

HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored, Device A will remain the active device.

HSRP packets will be rejected in any of the following cases:

  • The authentication schemes differ on the device and in the incoming packets.

  • MD5 digests differ on the device and in the incoming packet.

  • Text authentication strings differ on the device and in the incoming packet.

How to Configure HSRP MD5 Authentication

Configuring HSRP MD5 Authentication Using a Key Chain

Perform this task to configure HSRP MD5 authentication using a key chain. Key chains allow a different key string to be used at different times according to the key chain configuration. HSRP will query the appropriate key chain to obtain the current live key and key ID for the specified key chain.

SUMMARY STEPS

1. enable

2. configure terminal

3. key chain name-of-chain

4. key key-id

5. key-string string

6. exit

7. exit

8. interface type number

9. ip address ip-address mask [secondary]

10. standby [group-number] priority priority

11. standby [group-number] preempt [delay {minimum | reload | sync} seconds]

12. standby [group-number] authentication md5 key-chain key-chain-name

13. standby [group-number] ip [ip-address [secondary]]

14. Repeat Steps 1 through 12 on each device that will communicate.

15. end

16. show standby


DETAILED STEPS
  Command or Action Purpose
Step 1 enable


Example:
Device> enable
 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2 configure terminal


Example:
Device# configure terminal
 

Enters global configuration mode.

 
Step 3 key chain name-of-chain


Example:
Device(config)# key chain hsrp1
 

Enables authentication for routing protocols, identifies a group of authentication keys, and enters key-chain configuration mode.

 
Step 4 key key-id


Example:
Device(config-keychain)# key 100
 

Identifies an authentication key on a key chain and enters key-chain key configuration mode.

  • The value for thekey-id argument must be a number.

 
Step 5 key-string string


Example:
Device(config-keychain-key)# key-string mno172
 

Specifies the authentication string for a key.

  • The value for the string argument can be 1 to 80 uppercase or lowercase alphanumeric characters; the first character cannot be a numeral

 
Step 6 exit


Example:
Device(config-keychain-key)# exit
 

Returns to key-chain configuration mode.

 
Step 7 exit


Example:
Device(config-keychain)# exit
 

Returns to global configuration mode.

 
Step 8 interface type number


Example:
Device(config)# interface GigabitEthernet 0/0/0
 

Configures an interface type and enters interface configuration mode.

 
Step 9 ip address ip-address mask [secondary]


Example:
Device(config-if)# ip address 10.21.8.32 255.255.255.0
 

Specifies a primary or secondary IP address for an interface.

 
Step 10 standby [group-number] priority priority


Example:
Device(config-if)# standby 1 priority 110
 

Configures HSRP priority.

 
Step 11 standby [group-number] preempt [delay {minimum | reload | sync} seconds]


Example:
Device(config-if)# standby 1 preempt 
 

Configures HSRP preemption.

 
Step 12 standby [group-number] authentication md5 key-chain key-chain-name


Example:
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
 

Configures an authentication MD5 key chain for HSRP MD5 authentication.

  • The key chain name must match the name specified in Step 3.

 
Step 13 standby [group-number] ip [ip-address [secondary]]


Example:
Device(config-if)# standby 1 ip 10.21.8.12
 

Activates HSRP.

 
Step 14 Repeat Steps 1 through 12 on each device that will communicate.  

 
Step 15 end


Example:
Device(config-if)# end 
 

Returns to privileged EXEC mode.

 
Step 16 show standby


Example:
Device# show standby
 

(Optional) Displays HSRP information.

  • Use this command to verify your configuration. The key string or key chain will be displayed if configured.

 

Troubleshooting HSRP MD5 Authentication

Perform this task if HSRP MD5 authentication is not operating correctly.

SUMMARY STEPS

1. enable

2. debug standby errors


DETAILED STEPS
  Command or Action Purpose
Step 1 enable


Example:
Device> enable
 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2 debug standby errors


Example:
Device# debug standby errors
 

Displays error messages related to HSRP.

  • Error messages will be displayed for each packet that fails to authenticate, so use this command with care.

 

Examples

In the following example, Device A has MD5 text string authentication configured, but Device B has the default text authentication:

Device# debug standby errors

A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 confgd but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth failed

In the following example, both Device A and Device B have different MD5 authentication strings:

Device# debug standby errors

A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth failed

Configuring HSRP Text Authentication

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip address ip-address mask [secondary]

5. standby [group-number] priority priority

6. standby [group-number] preempt [delay {minimum | reload | sync} seconds]

7. standby [group-number] authentication text string

8. standby [group-number] ip [ip-address [secondary]]

9. Repeat Steps 1 through 8 on each device that will communicate.

10. end

11. show standby


DETAILED STEPS
  Command or Action Purpose
Step 1 enable


Example:
Device> enable
 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2 configure terminal


Example:
Device# configure terminal
 

Enters global configuration mode.

 
Step 3 interface type number


Example:
Device(config)# interface GigabitEthernet 0/0/0
 

Configures an interface type and enters interface configuration mode.

 
Step 4 ip address ip-address mask [secondary]


Example:
Device(config-if)# ip address 10.0.0.1 255.255.255.0
 

Specifies a primary or secondary IP address for an interface.

 
Step 5 standby [group-number] priority priority


Example:
Device(config-if)# standby 1 priority 110
 

Configures HSRP priority.

 
Step 6 standby [group-number] preempt [delay {minimum | reload | sync} seconds]


Example:
Device(config-if)# standby 1 preempt 
 

Configures HSRP preemption.

 
Step 7 standby [group-number] authentication text string


Example:
Device(config-if)# standby 1 authentication text authentication1
 

Configures an authentication string for HSRP text authentication.

  • The default string is cisco.

 
Step 8 standby [group-number] ip [ip-address [secondary]]


Example:
Device(config-if)# standby 1 ip 10.0.0.3
 

Activates HSRP.

 
Step 9 Repeat Steps 1 through 8 on each device that will communicate.  

--

 
Step 10 end


Example:
Device(config-if)# end 
 

Returns to privileged EXEC mode.

 
Step 11 show standby


Example:
Device# show standby
 

(Optional) Displays HSRP information.

  • Use this command to verify your configuration. The key string or key chain will be displayed if configured.

 

Configuration Examples for HSRP MD5 Authentication

Example: Configuring HSRP MD5 Authentication Using Key Strings

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab timeout 30
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP MD5 Authentication Using Key Chains

In the following example, HSRP queries the key chain “hsrp1” to obtain the current live key and key ID for the specified key chain:

Device(config)# key chain hsrp1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP MD5 Authentication Using Key Strings and Key Chains

The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of zero, then the following configuration will work:

Device 1

Device(config)# key chain hsrp1
Device(config-keychain)# key 0
Device(config-keychain-key)# key-string 54321098452103ab
Device(config-keychain-key)# exit
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-chain hsrp1
Device(config-if)# standby 1 ip 10.21.0.10

Device 2

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 authentication md5 key-string 54321098452103ab
Device(config-if)# standby 1 ip 10.21.0.10

Example: Configuring HSRP Text Authentication

Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# standby 1 priority 110
Device(config-if)# standby 1 preempt
Device(config-if)# standby 1 authentication text company2
Device(config-if)# standby 1 ip 10.21.0.10

Additional References

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

HSRP commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS First Hop redundancy Protocols Command Reference

HSRP for IPv6

“HSRP for IPv6” module

Troubleshooting HSRP

Hot Standby Router Protocol: Frequently Asked Questions

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIBs

MIBs Link

CISCO-HSRP-MIB CISCO-HSRP-EXT-MIB

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http:/​/​www.cisco.com/​go/​mibs

RFCs

RFCs

Title

RFC 792

Internet Control Message Protocol

RFC 1828

IP Authentication Using Keyed MD5

RFC 2281

Cisco Hot Standby Router Protocol

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for HSRP MD5 Authentication

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
Table 1 Feature Information for HSRP MD5 Authentication

Feature Name

Releases

Feature Information

HSRP MD5 Authentication

12.2(25)S

12.2(33)SRA

12.2(33)SXH

12.2(50)SY

12.3(2)T

15.0(1)S

15.0(1)SY

Cisco IOS XE Release 2.1

Cisco IOS XE 3.1.0SG

Cisco IOS XE Release 3.9S

Prior to the introduction of the HSRP MD5 Authentication feature, HSRP authenticated protocol packets with a simple plain text string. The HSRP MD5 Authentication feature is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This feature provides added security and protects against the threat from HSRP-spoofing software.

The following commands were introduced or modified by this feature: show standby, standby authentication.