Re: HSRP authentication

tmesbah · ‎12-21-2005

Hi,

When putting a sniffer in our LAN "user division subnet" and I saw the HSRP password authentication.

Is there any things to do in our router to prevent this "not seeing the password authentication".

We use Catalyst 6500 with SUP2 running IOS 12.1.20.

Thanks

# sh run interface vlan xxxx

description JT2nd Remote Silo servers

ip address 10.206.14.252 255.255.254.0

standby 206 ip 10.206.14.1

standby 206 priority 254

standby 206 preempt

standby 206 authentication xxxxxxx

sachinraja · ‎12-21-2005

Hello

You have applied a clear text authentication , which allows users to sniff the passwords. Use MD5 authentication for maximum security. You need to have your IOS support this feature.

standby 206 authentication md5 key-string xxxxxx timeout 10

You can have more info about this in the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7a8a.html#wp1038760

Hope this helps.. all the best. rate replies if found useful.

Raj

tmesbah · ‎12-22-2005

Thanks. This feature is available in 12.2(25). We are running 12.1.20.

What I am looking is the same thing that we implement in OSPF "passive interface" that user subnet can not see this traffic.

Thanks

Richard Burts · ‎12-22-2005

Tayeb

What the passive-interface does for OSPF is to supress sending OSPF packets out that interface but allows advertising the subnet of that interface out the other OSPF interfaces. It is appropriate to apply passive-interface on interfaces for which there is no OSPF device with which you need to communicate.

There is not an exactly equivalent command for HSRP. If there were a command that suppressed sending the HSRP packets then HSRP could not work. If you are really concerned about this, then it becomes a motivator to upgrade the code to something that supports more secure authentication.

HTH

Rick

HTH

Rick