RE: HSRP authentication FUN

From: Brian Dennis (brian@5g.net)
Date: Mon Sep 09 2002 - 10:11:14 GMT-3

• Next message: Blanco Lam: "Re: Halabi Page 423 route reflectors"
• Previous message: Angelo De Guzman: "Halabi Page 423 route reflectors"
• Maybe in reply to: Volkov, Dmitry (Toronto - BCE): "HSRP authentication FUN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Also remember that HSRP authentication just prevents other routers from
learning the standby IP address and the standby timers. HSRP
authentication does not prevent other routers without the correct
"authentication string" from becoming the active router. HSRP
authentication is very weak (as you can see ;) and if you need to really
"secure" HSRP, use an access-list to limit who can send you HSRP
packets.

Brian Dennis, CCIE #2210 (R&S/ISP Dial)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Colin Barber
Sent: Monday, September 09, 2002 1:17 AM
To: 'Volkov, Dmitry (Toronto - BCE)'; 'ccielab@groupstudy.com'
Subject: RE: HSRP authentication FUN

Yes, the default password is cisco.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550sc
g/sw
hsrp.htm#xtocid203077

from the link:
(Optional) authentication string-Enter a string to be carried in all
HSRP
messages. The authentication string can be up to eight characters in
length;
the default string is cisco.

Colin

-----Original Message-----
From: Volkov, Dmitry (Toronto - BCE) [mailto:dmitry_volkov@ca.ml.com]
Sent: 08 September 2002 22:54
To: 'ccielab@groupstudy.com'
Subject: HSRP authentication FUN

Hi,

Maybe many of you guys khow that, but it took me a while until I got it:

by default HSRP uses authentication word 'cisco'.

I put : standby 1 authentication 'cisco' on one router and no standby
auth
on the other one:
HSRP was working ! I put another word : ccie instead of cisco and
standby
group was broken:

06:53:21: %STANDBY-3-BADAUTH: Bad authentication from 170.240.8.1, group
1,
remote state Active

I put sniffer and found that both routers with hsrp auth enabled and
without
one exchange hellos with word 'cisco' in auth field of hello packet. So
they
are authenticated by default without "standby authentication" command :)

Dmitry
------------------------------------------------------------------------
------
Live Life in Broadband
www.telewest.co.uk

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.
Statements and opinions expressed in this e-mail may not represent those
of the company. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited. If
you received this in error, please contact the sender immediately and
delete the material from any computer.

========================================================================
======

• Next message: Blanco Lam: "Re: Halabi Page 423 route reflectors"
• Previous message: Angelo De Guzman: "Halabi Page 423 route reflectors"
• Maybe in reply to: Volkov, Dmitry (Toronto - BCE): "HSRP authentication FUN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:47 GMT-3