RE: HSRP Authentication

From: Jonathan V Hays (jhays@jtan.com)
Date: Sun Nov 16 2003 - 22:40:01 GMT-3

• Next message: Howard C. Berkowitz: "Re: Asymmetric Routing"
• Previous message: Donny MATEO: "Re: Asymmetric Routing"
• Maybe in reply to: k c: "HSRP Authentication"
• Next in thread: Scott Morris: "RE: HSRP Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>-----Original Message-----
>From: Scott Morris [mailto:swm@emanon.com]
>Sent: Sunday, November 16, 2003 1:23 PM
>To: 'Jonathan V Hays'; 'k c'; ccielab@groupstudy.com
>Subject: RE: HSRP Authentication
>
>I believe it's actually the default password. And no default commands
>show up in the config... I seem to recall hearing this someplace. Go
>figure. :)
>
>Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
>CISSP, JNCIS, et al.
>IPExpert CCIE Program Manager
>IPExpert Sr. Technical Instructor
>swm@emanon.com/smorris@ipexpert.net
>http://www.ipexpert.net
>
###########
After I extract my foot from my mouth, let me throw some data at the
problem.

R1a is a 3620 running 12.2(17). The authentication is hidden here, both
in the "sh run" and the "sh standby" output.
###########
R1a#sh ver | i IOS
IOS (tm) 3600 Software (C3620-JK9O3S-M), Version 12.2(17), RELEASE
SOFTWARE (fc3)
R1a#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1a(config)#int e1/0
R1a(config-if)#standby 1 ip 172.16.11.254
R1a(config-if)#standby 1 authentication cisco
R1a(config-if)#end
R1a#s
*Mar 3 10:10:29.989: %SYS-5-CONFIG_I: Configured from console by
console
R1a#sh run int e1/0
Building configuration...

Current configuration : 147 bytes
!
interface Ethernet1/0
 description Link to R1b. Use VLAN 11.
 ip address 172.16.11.1 255.255.255.0
 half-duplex
 standby 1 ip 172.16.11.254
end

R1a#sh standby
Ethernet1/0 - Group 1
  Local state is Standby, priority 100
  Hellotime 3 sec, holdtime 10 sec
  Next hello sent in 0.092
  Virtual IP address is 172.16.11.254 configured
  Active router is 172.16.11.2, priority 100 expires in 9.564
  Standby router is local
  4 state changes, last state change 00:05:59
  IP redundancy name is "hsrp-Et1/0-1" (default)
R1a#
###########
R1b is a 1750 running 12.2(8)T8 and the authentication string shows up
in both "sh run" and "sh standby". See below. At the very least, we can
conclude that the visibility of "cisco" as used for an HSRP password is
platform and/or version dependent. But I'm not done yet. Let's test it.
###########
R1b#sh ver | i IOS
IOS (tm) C1700 Software (C1700-K9O3SV3Y7-M), Version 12.2(8)T8, RELEASE
SOFTWARE (fc1)
R1b#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1b(config)#int fa0
R1b(config-if)#standby 1 ip 172.16.11.254
R1b(config-if)#standby 1 authentication cisco
R1b(config-if)#end
R1b#sh
*Mar 3 10:09:23.977: %SYS-5-CONFIG_I: Configured from console by
console
R1b#sh run int fa0
Building configuration...

Current configuration : 180 bytes
!
interface FastEthernet0
 description Link to R1a. Use VLAN 11.
 ip address 172.16.11.2 255.255.255.0
 speed auto
 standby 1 ip 172.16.11.254
 standby 1 authentication cisco
end

R1b#sh standby
FastEthernet0 - Group 1
  State is Active
    2 state changes, last state change 00:08:12
  Virtual IP address is 172.16.11.254
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.564 secs
  Authentication text "cisco"
  Preemption disabled
  Active router is local
  Standby router is 172.16.11.1, priority 100 (expires in 7.192 sec)
  Priority 100 (default 100)
R1b#
###########
Since the sneaky little devil is hiding somewhere the question now
becomes, is it really working or not? I changed the password on the
"invisible side" and turned on "debug standby events." See below.
###########
R1a(config-if)#standby 1 authentication asdf
R1a(config-if)#end
R1a(config-if)#end
*Mar 3 10:21:09.673: %SYS-5-CONFIG_I: Configured from console by
console
R1a#sh stan brief
                     P indicates configured to preempt.
                     |
Interface Grp Prio P State Active addr Standby addr Group
addr
Et1/0 1 100 Active local unknown
172.16.11.254
R1a#debug standby events
HSRP Events debugging is on
R1a#
*Mar 3 10:22:30.853: %STANDBY-3-BADAUTH: Bad authentication from
172.16.11.2, group 1, remote state Active
R1a#
*Mar 3 10:23:00.853: %STANDBY-3-BADAUTH: Bad authentication from
172.16.11.2, group 1, remote state Active
R1a#
*Mar 3 10:23:04.857: SB: Et1/0 Remove passive hash 172.16.11.2
(expired)
R1a#
*Mar 3 10:23:30.853: %STANDBY-3-BADAUTH: Bad authentication from
172.16.11.2, group 1, remote state Active
R1a#
*Mar 3 10:24:00.853: %STANDBY-3-BADAUTH: Bad authentication from
172.16.11.2, group 1, remote state Active
###########
Next, I changed it back to "cisco".
###########
R1a#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1a(config)#int e1/0
R1a(config-if)#standby 1 authentication cisco
R1a(config-if)#
*Mar 3 10:24:24.853: SB1: Et1/0 Hello in 172.16.11.2 Active pri 100
ip 172.16.11.254
*Mar 3 10:24:24.853: SB1: Et1/0 Active router is 172.16.11.2, was local
*Mar 3 10:24:24.853: SB: Et1/0 Remove active hash 172.16.11.1 (vIP
172.16.11.254)
*Mar 3 10:24:24.853: SB: Et1/0 Add active hash 172.16.11.2 (vIP
172.16.11.254)
*Mar 3 10:24:24.853: SB1: Et1/0 Active: g/Hello rcvd from higher pri
Active router (100/172.16.11.2)
*Mar 3 10:24:24.853: SB1: Et1/0 Active -> Speak
*Mar 3 10:24:24.853: %STANDBY-6-STATECHANGE: Ethernet1/0 Group 1 state
Active -> Speak
R1a(config-if)#
*Mar 3 10:24:24.857: SB1: Et1/0 Redundancy "hsrp-Et1/0-1" state Active
-> Speak
*Mar 3 10:24:24.857: SB: Et1/0 Redirect adv start
R1a(config-if)#end
R1a#
*Mar 3 10:24:27.661: %SYS-5-CONFIG_I: Configured from console by
console
R1a#
*Mar 3 10:24:34.853: SB1: Et1/0 Speak: d/Standby timer expired
(unknown)
*Mar 3 10:24:34.853: SB1: Et1/0 Standby router is local
*Mar 3 10:24:34.853: SB1: Et1/0 Speak -> Standby
*Mar 3 10:24:34.853: SB1: Et1/0 Redundancy "hsrp-Et1/0-1" state Speak
-> Standby
R1a#u all
All possible debugging has been turned off
R1a#sh stan br
                     P indicates configured to preempt.
                     |
Interface Grp Prio P State Active addr Standby addr Group
addr
Et1/0 1 100 Standby 172.16.11.2 local
172.16.11.254
R1a#
###########
You can see the "Bad authentication" messages every 30 seconds and the
"sh standby brief" output which indicates the two HSRP neighbors are
having a spat. ;) After I put the "invisible" password of "cisco" back
everything starts working.

I guess I'm convinced.

Jonathan

• Next message: Howard C. Berkowitz: "Re: Asymmetric Routing"
• Previous message: Donny MATEO: "Re: Asymmetric Routing"
• Maybe in reply to: k c: "HSRP Authentication"
• Next in thread: Scott Morris: "RE: HSRP Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:12 GMT-3