Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

HSRP md5 auth migration


My HSRP is configure with no authentification. When I turn on md5 on the first router, how will the network behave. I will have a router with md5 and one with no authentication ofr a few second. Will they both try to be the gateway?


Re: HSRP md5 auth migration


Yes there could be a state change. I would recommend adjusting the timers while you configure authentication on HSRP to ensure that doesn't happen.

The active router should have its key string changed no later than one holdtime period, specified by the "standby timers" command, after the non-active routers.



Re: HSRP md5 auth migration

You could make your changes on the standby first, and then go to the active router. Should be fine.



HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Re: HSRP md5 auth migration


This would be worth testing because once you modify the standby then the standby and the active would not be able to exchange hellos and so the standby could go active assuming the primary has gone down. Not saying it would but would be worth testing.

There is a timeout option on the md5 authentication command which specifies how long before you use the new key so i was wondering if you could give yourself a large enough timeout to configure both. But this may be to do with changing keys once md5 auth is in place rather than initially setting it up.


Hall of Fame Super Silver

Re: HSRP md5 auth migration

Hello Jon,

you mean using a key chain so that you can use lifetime and you can then deploy a new key.

A suggestion can be that of using the key chain from the beginning so that you will be able to change the key in the future with less effort.

But first time you will face a transition in which the two routers will not accept messages from the other one.

(EIGRP experience ...)


the routers need to be NTP synchronized but again this has to be tested.

Hope to help