Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Tuesday, January 8, 2013

quote of the day, doccd...

yuck...

your doccd at work for you... it's all right there...

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4t/fhp-hsrp.html#GUID-12096984-19A9-4F90-8CB6-D8E2C66E7349


HSRP MD5 Authentication

Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple plain text string. HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet. This functionality provides added security and protects against the threat from HSRP-spoofing software.
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the hash within the incoming packet does not match the generated hash, the packet is ignored.
The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through a key chain.
HSRP has two authentication schemes:
  • Plain text authentication
  • MD5 authentication
HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Router A has a priority of 120 and is the active router. If a host sends spoof HSRP hello packets with a priority of 130, then Router A stops being the active router. If Router A has authentication configured such that the spoof HSRP hello packets are ignored, Router A will remain the active router.
HSRP packets will be rejected in any of the following cases:
  • The authentication schemes differ on the router and in the incoming packets.
  • MD5 digests differ on the router and in the incoming packet.
  • Text authentication strings differ on the router and in the incoming packet.


1.    enable
2.    configure terminal
3.    terminal interface type number
4.    ip address ip-address mask [secondary]
5.    standby [group-number] priority priority
6.    standby [group-number] preempt [delay {minimum | reload | sync} seconds]
7.    standby [group-number] authentication md5 key-string [0 | 7] key [timeout seconds]
8.    standby [group-number] ip [ip-address] [secondary]]
9.    Repeat Steps 1 through 8 on each router that will communicate.
10.    end
11.    show standby

No comments:

Post a Comment