HSRP md5 auth migration

Unanswered Question
Jan 15th, 2009
User Badges:
  • Silver, 250 points or more


My HSRP is configure with no authentification. When I turn on md5 on the first router, how will the network behave. I will have a router with md5 and one with no authentication ofr a few second. Will they both try to be the gateway?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mark Yeates Thu, 01/15/2009 - 12:06
User Badges:
  • Gold, 750 points or more


Yes there could be a state change. I would recommend adjusting the timers while you configure authentication on HSRP to ensure that doesn't happen.

The active router should have its key string changed no later than one holdtime period, specified by the "standby timers" command, after the non-active routers.



John Blakley Thu, 01/15/2009 - 12:15
User Badges:
  • Purple, 4500 points or more

You could make your changes on the standby first, and then go to the active router. Should be fine.



Jon Marshall Thu, 01/15/2009 - 12:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


This would be worth testing because once you modify the standby then the standby and the active would not be able to exchange hellos and so the standby could go active assuming the primary has gone down. Not saying it would but would be worth testing.

There is a timeout option on the md5 authentication command which specifies how long before you use the new key so i was wondering if you could give yourself a large enough timeout to configure both. But this may be to do with changing keys once md5 auth is in place rather than initially setting it up.


Giuseppe Larosa Thu, 01/15/2009 - 13:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jon,

you mean using a key chain so that you can use lifetime and you can then deploy a new key.

A suggestion can be that of using the key chain from the beginning so that you will be able to change the key in the future with less effort.

But first time you will face a transition in which the two routers will not accept messages from the other one.

(EIGRP experience ...)



the routers need to be NTP synchronized but again this has to be tested.

Hope to help



This Discussion