cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
0
Helpful
4
Replies

HSRP md5 auth migration

dominic.caron
Level 5
Level 5

Hi,

My HSRP is configure with no authentification. When I turn on md5 on the first router, how will the network behave. I will have a router with md5 and one with no authentication ofr a few second. Will they both try to be the gateway?

4 Replies 4

Mark Yeates
Level 7
Level 7

Dominic,

Yes there could be a state change. I would recommend adjusting the timers while you configure authentication on HSRP to ensure that doesn't happen.

The active router should have its key string changed no later than one holdtime period, specified by the "standby timers" command, after the non-active routers.

HTH,

Mark

You could make your changes on the standby first, and then go to the active router. Should be fine.

HTH,

John

HTH, John *** Please rate all useful posts ***

John

This would be worth testing because once you modify the standby then the standby and the active would not be able to exchange hellos and so the standby could go active assuming the primary has gone down. Not saying it would but would be worth testing.

There is a timeout option on the md5 authentication command which specifies how long before you use the new key so i was wondering if you could give yourself a large enough timeout to configure both. But this may be to do with changing keys once md5 auth is in place rather than initially setting it up.

Jon

Hello Jon,

you mean using a key chain so that you can use lifetime and you can then deploy a new key.

A suggestion can be that of using the key chain from the beginning so that you will be able to change the key in the future with less effort.

But first time you will face a transition in which the two routers will not accept messages from the other one.

(EIGRP experience ...)

see

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gthsrpau.html#wp1066832

the routers need to be NTP synchronized but again this has to be tested.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco