HSRP Default Authentication

HSRP is sort of the “default” First Hop Redundancy Protocol (FHRP) in the Cisco world. One thing that I find a bit strange is that, according to the documentation, authentication is enabled by default. If this is truly the case, I’m guessing that many people simply don’t realize it. From time to time, I run across documentation that make this claim. Additionally, it actually found the excerpt below in an RFC.

Excerpt from RFC 2281

If no authentication data is configured, the RECOMMENDED default value is 0x63 0x69 0x73 0x63 0x6F 0x00 0x00 0x00.

So what is “0x63 0x69 0x73 0x63 0x6F 0x00 0x00 0x00”?

The easy way to answer this question would be to consult a ascii table. However, I wanted to confirm the claims as well as confirm my understanding of the default password. To do this, I configured a pair of routers with HSRP.

R1

R1(config)#do show run int fa0/0
Building configuration...

Current configuration : 143 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 192.168.1.254
 standby 1 preempt
end

R2

R2(config-if)#do show run int fa0/0
Building configuration...

Current configuration : 221 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 192.168.1.254
 standby 1 priority 115
 standby 1 preempt
end

Next I captured some HSRP traffic in Wireshark. Below is what I found.

Capture

As can bee seen by the capture, the default password seems to be “cisco“. So to test this, I took it one step further. I modified the configuration only on R2 to use the password  “cisco”. If this created a mismatch, the routers should start discarding HSRP packets from their adjacent neighbors and both routers should go active. However based on the RFC, documentation and what I’ve now seen in Wireshark, I believed standby should continue to function normally.

R1(config)#interface fa0/0
R1(config-if)#standby 1 authentication cisco

Next I checked the standby status.

R1

R1(config)#do show standby
FastEthernet0/0 - Group 1
  State is Standby
    21 state changes, last state change 00:25:45
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec

R2

R2(config-if)#do show standby
FastEthernet0/0 - Group 1
  State is Active
    8 state changes, last state change 04:02:24
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec

As expected, the standby configuration is still functioning properly. I also wanted to go back and look at R2 to see if the configuration I entered was visible in the running configuration. With IOS devices, some defaults are not shown.

R2(config-if)#do show run int fa0/0
Building configuration...

Current configuration : 221 bytes
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 192.168.1.254
 standby 1 priority 115
 standby 1 preempt
end

As can be seen in the output above, the configuration that I explicitly entered is not visible in the running configuration. This is similar to other defaults found in IOS. Even though it seems odd that Cisco would use a static default password of “cisco”, this has clearly proven that to be the case. I’d actually love to know the back story behind this. Since default passwords are basically useless, my guess is it was a place holder for the authentication component during development or early versions of the protocol. Alternatively, this may have been done this way because it was “easier” than having the option to truly disable authentication.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

5 Responses to HSRP Default Authentication

  1. Richard John Jordan says:

    as i was reading this article i’ve learned a little information about HSRP. Keep posting more info!

  2. cplduf says:

    nice…..out of curiosity I did “show run all” on a Nexus and it’s there.

    interface Vlan252
    no shutdown
    mtu 1500
    bandwidth 1000000
    delay 1
    medium broadcast
    snmp trap link-status
    no description
    carrier-delay msec 100
    load-interval counter 1 60
    load-interval counter 2 300
    no load-interval counter 3
    mac-address 547f.ee59.7782
    no management
    vrf member bling
    ip address 192.168.10.2/24
    no hsrp bfd
    hsrp version 2
    hsrp delay minimum 0 reload 0
    no hsrp use-bia
    hsrp 252
    authentication cisco
    name hsrp-Vlan252-252
    mac-address 0000.0C9F.F0FC
    preempt delay minimum 0 reload 0 sync 0
    priority 105
    timers 3 10
    ip 192.168.10.1

    • Alexandra Stanovska says:

      Yes, you can use ‘sjow run all’ to display default configuration.

      BTW OSPF and VTP also have some default form of authentication (null password).

  3. Pingback: Internets of Interest for 8th December 2012 — EtherealMind

Comments are closed.