Increasing HSRP Security

Problem

You want to increase the Security of HSRP between two (or more) routers.

Solution

You can configure HSRP to use password authentication with the following commands:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet 0/1
Router1(config-if)#standby 1 ip 172.22.1.1 
Router1(config-if)#standby 1 priority 120
Router1(config-if)#standby 1 authentication OREILLY
Router1(config-if)#exit
Router1(config)#end
Router1#

You must configure the same authentication password on all routers within the same HSRP group or the conflicts will prevent HSRP from working:

Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface FastEthernet 1/0
Router2(config-if)#standby 1 ip 172.22.1.1 
Router2(config-if)#standby 1 priority 110
Router2(config-if)#standby 1 authentication OREILLY
Router2(config-if)#exit
Router2(config)#end
Router2#

Beginning with IOS Version 12.3(2)T, Cisco introduced support for MD5-encrypted passwords. To configure strong MD5-encrypted passwords, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#interface FastEthernet0/1                         
Router1(config-if)#standby 1 ip 10.1.1.1                          
Router1(config-if)#standby 1 priority 200                         
Router1(config-if)#standby 1 authentication md5 key-string OREILLY
Router1(config-if)#end
Router1#

You must also configure the same password and encryption ...

Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.