HSRP md5 auth migration

Unanswered Question
Jan 15th, 2009

Hi,

My HSRP is configure with no authentification. When I turn on md5 on the first router, how will the network behave. I will have a router with md5 and one with no authentication ofr a few second. Will they both try to be the gateway?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Thu, 01/15/2009 - 12:06

Dominic,

Yes there could be a state change. I would recommend adjusting the timers while you configure authentication on HSRP to ensure that doesn't happen.

The active router should have its key string changed no later than one holdtime period, specified by the "standby timers" command, after the non-active routers.

HTH,

Mark

John Blakley Thu, 01/15/2009 - 12:15

You could make your changes on the standby first, and then go to the active router. Should be fine.

HTH,

John

Jon Marshall Thu, 01/15/2009 - 12:20

John

This would be worth testing because once you modify the standby then the standby and the active would not be able to exchange hellos and so the standby could go active assuming the primary has gone down. Not saying it would but would be worth testing.

There is a timeout option on the md5 authentication command which specifies how long before you use the new key so i was wondering if you could give yourself a large enough timeout to configure both. But this may be to do with changing keys once md5 auth is in place rather than initially setting it up.

Jon

Giuseppe Larosa Thu, 01/15/2009 - 13:39

Hello Jon,

you mean using a key chain so that you can use lifetime and you can then deploy a new key.

A suggestion can be that of using the key chain from the beginning so that you will be able to change the key in the future with less effort.

But first time you will face a transition in which the two routers will not accept messages from the other one.

(EIGRP experience ...)

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gthsrpau.html#wp1066832

the routers need to be NTP synchronized but again this has to be tested.

Hope to help

Giuseppe

Actions

This Discussion