18-Troubleshooting HSRP Authentication

Lab ID: 10.317A237.TSP.
Troubleshooting HSRP Authentication

Objective
In this lab, you will troubleshoot a Hot Standby Router Protocol (HSRP) environment. HSRP is a network
protocol that can be used to ensure the immediate and transparent recovery of traffic clients from first-hop
failures in network edge devices by providing network redundancy for IP networks. Authentication protects
the specified HSRP group against HSRP spoofing attacks, which can result in a Denial of Service (DoS)
condition.
Lab Topology
The topology diagram below represents the NetMap in the Simulator.
1 Boson NetSim Lab Manual

Command Summary
Command Description
configure terminal enters global configuration mode from privileged EXEC mode
enable enters privileged EXEC mode
end ends and exits configuration mode
exit exits one level in the menu structure
interface type number changes from global configuration mode to interface
configuration mode
ipconfig is used in NetSim to display the currently configured IP
address, subnet mask, and default gateway on a workstation
ipconfig /dg ip-address is used in NetSim to assign a default gateway IP address to a
workstation interface
no standby group-number removes the authentication string for HSRP
authentication
ping ip-address sends an Internet Control Message Protocol (ICMP) echo
request to the specified address
show cdp neighbors displays information about directly connected neighbors
show running-config displays the active configuration file
show running-config interface type displays the specified interface’s active configuration file
number
show spanning-tree vlan vlan-id shows whether spanning tree is running for a VLAN
show standby displays HSRP information
show vlan brief displays parameters for all VLANs; contains the VLAN’s name,
status, and ports assigned to it
shutdown; no shutdown disables an interface; enables an interface
spanning-tree vlan vlan-id priority sets the spanning tree priority for use in the bridge ID
priority
standby group-number authentication enables HSRP Message Digest 5 (MD5) authentication for the
md5 key-string key-string specified HSRP group number
standby [group-number] ip [ip-address] creates or enables the HSRP group with a group number and
virtual IP address
standby group-number preempt enables preemption for a specified HSRP group on an HSRP
router interface
standby group-number priority priority sets the priority value used in choosing the active router; the
default value is 100, and the configurable priority value range
is from 1 through 255, with 255 being the highest priority
standby group-number track {object- enables HSRP interface tracking and can be used to
number | interface-type interface- automatically lower an active router’s priority when the
number [priority-decrement]]} interface to an external network is down
tracert ip-address displays the network path to a given destination; is used on
Microsoft Windows workstations

The IP addresses and subnet masks used in this lab are shown in the tables below:
IP Addresses
Device Interface IP Address Subnet Mask Default Gateway
Router1 FastEthernet 0/0 192.168.51.49 255.255.255.252 -
FastEthernet 0/1 192.168.51.53 255.255.255.252 -
Loopback 0 172.16.0.1 255.255.255.255 -
Loopback 1 198.51.100.1 255.255.255.255 -
DSW1 FastEthernet 0/0 192.168.51.50 255.255.255.252 192.168.51.49
VLAN 100 10.10.100.1 255.255.255.0 -
VLAN 200 10.10.200.1 255.255.255.0 -
HSRP Group 100 10.10.100.3 - -
DSW2 FastEthernet 0/0 192.168.51.54 255.255.255.252 192.168.51.53
VLAN 100 10.10.100.2 255.255.255.0 -
VLAN 200 10.10.200.2 255.255.255.0 -
HSRP Group 100 10.10.100.3 - -
ASW1 VLAN 100 10.10.100.5 255.255.255.0 -
VLAN 200 10.10.200.5 255.255.255.0 -
ASW2 VLAN 100 10.10.100.6 255.255.255.0 -
VLAN 200 10.10.200.6 255.255.255.0 -
Device IP Address Subnet Mask Default Gateway

PC1 10.10.100.10 255.255.255.0 10.10.100.3
PC2 10.10.200.20 255.255.255.0 10.10.200.3
PC3 10.10.100.30 255.255.255.0 10.10.100.3
PC4 10.10.200.40 255.255.255.0 10.10.200.3
The HSRP configurations used in this lab are shown in the tables below:
HSRP Feature Configuration

DSW1 Priority Preemption Track Decrement MD5 Key IP Address
Interface String
Group 120 Enabled FastEthernet 0/1 20 my80$0nL485! 10.10.100.3
100
110 Enabled my80$0nL485! 10.10.200.3
DSW2 Priority Preemption Track Decrement MD5 Key IP Address

Interface String
Group 110 Enabled my80$0nL485! 10.10.100.3
100
120 Enabled FastEthernet 0/1 20 my80$0nL485! 10.10.200.3

Lab Tasks
Complex network troubleshooting requires a structured approach. Network documentation that includes
thorough troubleshooting procedures can decrease the amount of time required to resolve network
problems. Troubleshooting procedures should contain a process to diagnose problems and the steps
necessary to verify that a proposed solution resolved the problem. In this lab, this is referred to as a
troubleshooting and verification plan.
Ticket 1: Troubleshoot HSRP for VLAN 100

DSW1 is the active HSRP router for VLAN 100 on your company’s network. Another administrator recently
configured new security measures to comply with your company’s recently revised security policies.
These changes included the addition of the password my80$0nL485! to some configurations. Testing has
revealed that traffic from PC1 and PC3 to Router1 is sometimes forwarded by DSW2. In this task, you will
troubleshoot and repair the HSRP configuration for VLAN 100. After you fix the configuration, you should
additionally verify that DSW2 correctly takes over the active router role from DSW1 if DSW1’s FastEthernet
0/1 interface goes down.
Ticket 2: Configure HSRP to Load Balance VLAN 100 and VLAN 200
Your company has consolidated a small software development staff into its corporate headquarters. The
software developer workstations are confined to VLAN 200 and currently use DSW1 as a default gateway.
In this task, you will configure HSRP for VLAN 200 so that VLAN 200 clients use DSW2 as their default
gateway and use DSW1 only if the connection between DSW2 and Router1 goes down. The HSRP active
router for VLAN 100 clients should not be modified.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.

Lab Solutions
Ticket 1: Troubleshoot HSRP for VLAN 100
DSW1 is the active HSRP router for VLAN 100 on your company’s network. Another administrator recently
configured new security measures to comply with your company’s recently revised security policies.
These changes included the addition of the password my80$0nL485! to some configurations. Testing has
revealed that traffic from PC1 and PC3 to Router1 is sometimes forwarded by DSW2. In this task, you will
troubleshoot the HSRP configuration for VLAN 100.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one of them.
1. On PC1, issue the ipconfig command. Based on the output, you can determine that PC1 has
been configured with an IP address of 10.10.100.10/24. This is the subnet that has been assigned
to VLAN 100. Additionally, PC1 has been assigned a default gateway of 10.10.100.3, which is the
virtual IP address that has been assigned to the HSRP group 100 routers in this scenario. Sample
output is shown below:
C:>ipconfig
<output omitted>
Boson BOSS 5.0 IP Configuration

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.100.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.100.3
2. Using the topology diagram in this lab document, you can determine that PC1 is connected to the
FastEthernet 0/11 interface of ASW1. You can verify that PC1 is operating in VLAN 100 by issuing
the following command on ASW1; the output should reveal that the FastEthernet 0/11 port to which
PC1 is connected is operating in VLAN 100. Sample output is below:
ASW1#show vlan brief
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
100 VLAN0100 active Fa0/11
200 VLAN0200 active Fa0/12
1002 fddi-default active

1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

3. On both ASW1 and ASW2, you should issue the show spanning-tree vlan 100 command to
display Spanning Tree Protocol (STP) information about VLAN 100. You can determine a great
deal from the output displayed on ASW1. Based on the state of ASW1’s ports shown in the output,
you can determine that DSW1 is most likely the root bridge for VLAN 100. ASW1 is reporting that
the root bridge for VLAN 100 has a priority of 8192, has a Media Access Control (MAC) address of
000C.1289.3959, and is accessible through ASW1’s FastEthernet 0/2 port. Based on the topology
diagram, you can determine that ASW1’s FastEthernet 0/4 port is directly connected to DSW2.
Similarly, ASW2 is reporting that the root bridge has a priority of 8192, has a MAC address of
000C.1289.3959, and is accessible through ASW2’s FastEthernet 0/4 port. Based on either the
topology diagram or the output of the show cdp neighbors command on ASW2, you can determine
that ASW2’s FastEthernet 0/2 port is directly connected to DSW2. Therefore, traffic from PC1 that is
destined for Router1 is most likely being correctly sent from ASW1 to DSW1.
ASW1#show spanning-tree vlan 100

VLAN0100
Spanning tree enabled protocol pvst
Root ID Priority 8192
Address 000C.1289.3959
Cost 19
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32868

Address 000C.3388.4866
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- ------------------------------
Fa0/2 Root FWD 19 128.2 P2p
Fa0/4 Desg BLK 38 128.4 P2p
Fa0/11 Desg FWD 19 128.11 P2p
ASW2#show spanning-tree vlan 100

VLAN0100
Address 000C.1289.3959
Cost 19

Address 000C.2449.5119
Aging Time 15
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- ------------------------------
Fa0/2 Desg BLK 38 128.2 P2p
Fa0/4 Root FWD 19 128.4 P2p
Fa0/11 Desg FWD 19 128.11 P2p
(continued on next page)

(continued from previous page)
ASW2#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S -Switch, H - Host, i - IGMP, r – Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
DSW1 Fas0/4 157 T S 3550 Fas 0/4
DSW2 Fas0/2 157 T S 3550 Fas 0/2
4. When you examine the console of DSW1, you should notice that DSW1 is also producing debug
messages related to HSRP authentication. The error messages indicate that HSRP Group 100
on DSW2 (10.10.100.2) is unable to correctly authenticate with HSRP Group 100 on DSW1
(10.10.100.1). Additionally, the debug message indicates that DSW2 is reporting itself as the active
HSRP router for HSRP group 100. Sample output from DSW1 is below:
00:03:03: %HSRP-4-BADAUTH: Bad authentication from 10.10.100.2, group 100,

remote state Active
5. On DSW1, you should issue the show standby command to display HSRP information for HSRP
group 100. Based on the output, you can determine the following:
• DSW1 is reporting itself as the active router for HSRP group 100.
• DSW1 has been unable to locate a standby router for HSRP group 100.
• HSRP group 100 has been configured with a priority of 120 on DSW1.
• HSRP preemption is enabled.
• HSRP group 100 on DSW1 is tracking the FastEthernet 0/0 interface.
• HSRP authentication has been configured for HSRP group 100 by using a key string of
my80$0nL485! from which an MD5 hash is generated.
When the FastEthernet 0/0 interface goes down, the priority of HSRP group 100 on DSW1 will be
decremented by 20. However, the tracked interface is currently in the Up state.
DSW1#show standby
Vlan0100 - Group 100
State is Active
2 state changes, last state change 00:2:34
Virtual IP address is 10.10.100.3
Active virtual MAC address is 0000.0c07.ac64
Local virtual MAC address is 0000.0c07.ac64(v1 default)
Hello time 4 sec, hold time 12 sec
Next hello sent in 2.299secs
Authentication MD5, key-string “my80$0nL485!”
Preemption enabled, min delay 50 sec, sync delay 40 sec
Active router is local
Standby router is unknown
Priority 120 (configured 120)
Track interface FastEthernet0/1 state Up decrement 20
IP redundancy name is HSRP1, advertisement interval is 34 sec

6. On both DSW1 and DSW2, you should issue the show running-config interface vlan 100
command to display the running configuration. Based on the output, you should be able to determine
that the key string configured for HSRP group 100 authentication on DSW2 does not match the
key string that is configured for HSRP group 100 authentication on DSW1. According to your
documentation, the password my80$0nL485! should have been added to the configurations. This
password matches the key string on DSW1. Therefore, DSW2’s HSRP authentication has been
configured with an incorrect key string. Sample output is shown below:
DSW1#show running-config interface vlan 100

Building configuration...
Current configuration : 255 bytes
!
interface Vlan0100
ip address 10.10.100.1 255.255.255.0
no ip route-cache
standby 100 ip 10.10.100.3
standby 100 priority 120
standby 100 preempt
standby 100 authentication md5 key-string my80$0nL485!
standby 100 track FastEthernet0/1 decrement 20
!
end
DSW2#show running-config interface vlan 100

Building configuration...
Current configuration : 220 bytes
!
interface Vlan0100
ip address 10.10.100.2 255.255.255.0
no ip route-cache
standby 100 ip 10.10.100.3
standby 100 priority 110
standby 100 preempt
standby 100 authentication md5 key-string myB0S0nL485!
!
end
7. On DSW2, you should issue the following commands to correct the configuration.
DSW2(config)#interface vlan 100

DSW2(config-subif)#no standby 100 authentication
DSW2(config-subif)#standby 100 authentication md5 key-string my80$0nL485!
00:08:26: %HSRP-6-STATECHANGE: Vlan0100 Grp 100 state Active -> Speak

00:08:26: %HSRP-6-STATECHANGE: Vlan0100 Grp 100 state Speak -> Standby
DSW1 and DSW2 will not be able to exchange HSRP Hello packets until the correct key string has
been configured on DSW2. The no standby 100 authentication command removes authentication
from the DSW2 HSRP group 100 configuration. The standby 100 authentication md5 key-string
my80$0nL485! command configures HSRP group 100 on DSW2 to use MD5 authentication based
on a key string of my80$0nL485!.

8. On both DSW1 and DSW2, you should issue the show standby command to display HSRP
information. Based on the output, you should be able to determine that DSW1 is now the only active
HSRP router for HSRP group 100. DSW2, on the other hand, has transitioned to the standby HSRP
router role. Therefore, HSRP authentication has been correctly configured between DSW1 and
DSW2. Sample output from both routers is shown below:
DSW1#show standby
State is Active
Standby router is 10.10.100.2, priority 110
DSW2#show standby
State is Standby
Active router is 10.10.100.1, priority 120 (expires in 5.694)
Standby router is local
9. On PC1, you should issue the following command to trace the route to Router1’s Loopback 1
interface (198.51.100.1). Based on the output, you should be able to determine that PC1 can now
successfully communicate with Router1 through DSW1 (10.10.100.1) and that the path is via DSW1.
C:>tracert 198.51.100.1
“Type escape sequence to abort.”

Tracing the route to 198.51.100.1
1 10.10.100.1 20 msec 16 msec *

2 192.168.51.49 20 msec 16 msec *

10. On DSW1, you should issue the following command to display HSRP tracked interface information:
DSW1#show standby
State is Active
Standby router is 10.10.100.2, priority 110 (expires in 2.437 sec)
Based on the output, you should be able to determine that the HSRP group 100 VLAN 100
interface is tracking DSW1’s FastEthernet 0/0 interface. Additionally, you can determine that if the
FastEthernet 0/0 interface enters the Down state, the priority of HSRP group 100 on DSW1 will be
decremented by 20.
11. On DSW1, you should issue the following commands to shut down the FastEthernet 0/1 interface:
DSW1(config)#interface fastethernet 0/1

DSW1(config-if)#shutdown
00:09:01: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.51.49
(FastEthernet0/1) is down: interface down
00:09:01: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
00:09:01: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
12. After the network has time to converge, you should issue the following command on PC1 to trace
the route to Router1’s Loopback 1 interface (198.51.100.1):
C:>tracert 198.51.100.1

1 10.10.100.2 20 msec 16 msec *

2 192.168.51.53 20 msec 16 msec *
PC1’s traffic to Router1 is now forwarded through DSW2 (10.10.100.2) instead of DSW1
(10.10.100.1). When the line protocol of DSW1’s FastEthernet 0/1 interface went down, HSRP
group 100’s priority value on DSW1 was decremented by 20. Therefore, DSW2 has taken over the
active HSRP router role from DSW1 because DSW1’s HSRP priority is now lower than DSW2’s and
preemption has been configured on DSW2.
13. On DSW1, you should issue the following command to enable the FastEthernet 0/1 interface:
DSW1(config-if)#no shutdown
00:10:29: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:10:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
(FastEthernet0/1) is up: new adjacency
00:10:30: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up
00:10:30: %HSRP-6-STATECHANGE: Vlan0100 Grp 100 state Standby -> Active
Ticket 2: Configure HSRP to Load Balance VLAN 100 and VLAN 200
Your company has consolidated a small software development staff into its corporate headquarters. The
software developer workstations are confined to VLAN 200 and currently use DSW1 as a default gateway.
In this task, you will configure HSRP for VLAN 200 so that VLAN 200 clients use DSW2 as their default
gateway and use DSW1 if the connection between DSW2 and Router1 goes down. The HSRP active
router for VLAN 100 clients should not be modified.
You should create a troubleshooting and verification plan before attempting to correct the problem. There
are several possible solutions to this task; this lab documents only one of them.
1. On PC1, you should trace the route to Router1’s Loopback 1 interface (198.51.100.1). As shown in
the following sample output, traffic from PC1 is forwarded to Router1 through DSW1 (10.10.100.1):
C:>tracert 198.51.100.1

1 10.10.100.1 20 msec 16 msec *

2 192.168.51.49 20 msec 16 msec *
2. On PC4, you should trace the route to Router1’s Loopback 1 interface (198.51.100.1). As shown in
the following sample output, traffic from PC4 is forwarded to Router1 by DSW2 (10.10.200.2):
C:>tracert 198.51.100.1

1 10.10.200.2 20 msec 16 msec *

2 192.168.51.53 20 msec 16 msec *

3. On PC2 and PC4, the output of the ipconfig command reveals that each PC has a default gateway
of 10.10.200.2. If you configured PC2 and PC4 to use the HSRP virtual IP address of 10.10.100.3
as a default gateway, traffic from each PC on VLAN 200 would travel the same path to Router1
as traffic from PC1 and PC3, which are on VLAN 100. Although HSRP does not have built-in load
balancing capabilities, you can configure more than one HSRP group on an HSRP router. Each
group can be configured to operate as an active router or a standby router. Therefore, you can
potentially have a different active router for each HSRP group.
By segregating the LAN into VLANs and configuring an HSRP group per VLAN, you can load
balance traffic from the LAN as a whole across multiple HSRP routers.
On PC4:
C:>ipconfig
<output omitted>
Boson BOSS 5.0 IP Configuration

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.200.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.200.2
4. On DSW2, you should issue the following command to display STP information for VLAN 200.
Based on the output, you can determine that DSW2 is not the root bridge for VLAN 200 and that the
root bridge for VLAN 200 has a priority value of 8192.
DSW2#show spanning-tree vlan 200
VLAN200
Address 000C.1289.3959
Cost 19

Address 000C.1380.3538
Aging Time 300
<output omitted>
An STP best practice when using HSRP is to configure the HSRP group active router as the
STP root bridge for the group’s corresponding VLAN on the same device. Therefore, you should
configure DSW2 as the root bridge because it is the STP instance that is configured on what will be
the active HSRP router for the HSRP group that corresponds to VLAN 200.
5. On DSW2, you should issue the following command to configure STP for VLAN 200 to use a priority
value of 4096:
DSW2#(config)#spanning-tree vlan 200 priority 4096

6. On DSW2, you should issue the following commands to configure the VLAN 200 interface with a
priority of 120 for HSRP group 200:

DSW2(config-if)#standby 200 priority 120
7. On DSW2, you should issue the following command to configure the VLAN 200 interface with
preemption for HSRP group 200:
DSW2(config-if)#standby 200 preempt
8. On DSW2, you should issue the following command on the VLAN 200 interface to configure
HSRP interface tracking for group 200 and to decrement HSRP group 200 priority by 20 if DSW2’s
FastEthernet 0/1 interface goes down:
DSW2(config-if)#standby 200 track fastethernet 0/1 20
9. On DSW2, you should issue the following command on the VLAN 200 interface to configure HSRP
group 200 with a virtual IP address of 10.10.200.3:
DSW2(config-if)#standby 200 ip 10.10.200.3
10. On DSW2, you should issue the following command to configure HSRP authentication for group 200
using a key string of my80$0nL485!:
DSW2(config-if)#standby 200 authentication md5 key-string my80$0nL485!
The md5 keyword configures HSRP group 200 to generate an MD5 hash from the string of
characters that is defined by the key-string keyword.
11. On PC2 and PC4, you should issue the following command to configure the default gateway to be
the virtual IP address of HSRP group 200 (10.10.200.3):
C:>ipconfig /dg 10.10.200.3
12. From PC4, you should issue the following command to trace the path to Router1’s Loopback 1
interface (198.51.100.1). Based on the output, you should be able to determine that traffic from PC4
is taking the path through DSW2 (10.10.200.2) to communicate with Router1 (192.168.51.53):
C:>tracert 198.51.100.1

1 10.10.200.2 20 msec 16 msec *

2 192.168.51.53 20 msec 16 msec *

13. On DSW2, you should issue the following command to display information about HSRP group 200:
DSW2#show standby
<output omitted>
State is Active
Active virtual MAC address is 0000.0c07.acC8
Local virtual MAC address is 0000.0c07.acC8(v1 default)
Standby router is unknown
Given the current configuration, traffic from PC2 or PC4 will not be able to reach Router1 if you
shut down DSW2’s FastEthernet 0/0 interface, because no standby router for HSRP group 200 has
been configured. Therefore, DSW2 will remain the active router for HSRP group 200 even when
the FastEthernet 0/0 interface has been shut down and DSW2’s HSRP group 200 priority has been
decremented.
14. Based on the HSRP group 200 configuration on DSW2, you should issue the following commands
on DSW1 to configure DSW1 to be the standby router for HSRP group 200 and to use a priority
value of 110:

DSW1(config-if)#standby 200 priority 110
DSW1(config-if)#standby 200 preempt
DSW1(config-if)#standby 200 authentication md5 key-string my80$0nL485!
DSW1(config-if)#standby 200 ip 10.10.200.3
15. On PC4, you should issue the following command to determine the path to Router1’s Loopback
1 interface. From the sample output below, you can see that the path to Router1’s Loopback 1
interface from PC4 has not changed because DSW1 is the standby router for HSRP group 200;
DSW2 remains the active router for HSRP group 200:
C:>tracert 198.51.100.1

1 10.10.200.2 20 msec 16 *
2 192.168.51.53 20 msec 16 msec *

16. On DSW2, you should issue the following commands to shut down the FastEthernet 0/1 interface:
DSW2(config)#interface fastethernet 0/1

DSW2(config-if)#shutdown
(FastEthernet0/1) is down: interface down
00:15:24: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to
administratively down
00:15:24: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Up->Down
17. On PC4, you should issue the following command to determine the path to Router1’s Loopback
1 interface. From the sample output below, you can see that the path to Router1’s Loopback 1
interface from PC4 has changed because DSW1 is now the active router for HSRP group 200:
C:>tracert 198.51.100.1

1 10.10.200.1 20 msec 16 msec *

2 192.168.51.49 20 msec 16 msec *
18. On DSW2, you should issue the following command to enable the FastEthernet 0/1 interface:
DSW2(config-if)#no shutdown
00:16:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
(FastEthernet0/1) is up: new adjacency
00:16:02: %TRACKING-5-STATE: 1 interface Fa0/1 line-protocol Down->Up
00:16:02: %HSRP-6-STATECHANGE: Vlan0200 Grp 200 state Standby -> Active
19. On PC4, you should issue the following command to trace the path to Router1’s Loopback 1
interface. From the sample output below, you can see that the path from PC4 to Router1 is now
through DSW2 because DSW2’s HSRP group 200 priority has been restored; therefore, DSW2 has
taken the active router role for HSRP group 200:
C:>tracert 198.51.100.1

1 10.10.200.2 20 msec 16 msec *

2 192.168.51.53 20 msec 16 msec *

Sample Configuration Scripts
DSW1 DSW1 (continued)
DSW1#show running-config interface FastEthernet0/12
Building configuration... !
Current configuration : 2035 bytes interface GigabitEthernet0/1
! !
Version 15.b interface GigabitEthernet0/2
service timestamps debug uptime !
service timestamps log uptime interface Vlan 1
no service password-encryption no ip address
! no ip route-cache
hostname DSW1 !
! interface Loopback0
ip subnet-zero no ip address
! no ip route-cache
ip cef !
no ip domain-lookup interface Vlan0100
spanning-tree mode pvst ip address 10.10.100.1 255.255.255.0
spanning-tree vlan 100,200 priority 8192 no ip route-cache
ip routing standby 100 ip 10.10.100.3
spanning-tree extend system-id standby 100 priority 120
! standby 100 preempt
interface Loopback0 standby 100 authentication md5 key-string my80$0nL485!
no ip address standby 100 track decrement 20
! !
interface FastEthernet0/1 interface Vlan0200
no switchport ip address 10.10.200.1 255.255.255.0
ip address 192.168.51.50 255.255.255.252 no ip route-cache
! standby 200 ip 10.10.200.3
interface FastEthernet0/2 standby 200 priority 110
switchport trunk encapsulation dot1q standby 200 preempt
switchport mode trunk standby 200 authentication md5 key-string my80$0nL485!
! !
interface FastEthernet0/3 vlan 100 name VLAN0100
switchport trunk encapsulation dot1q vlan 200 name VLAN0200
switchport mode trunk !
! router eigrp 100
interface FastEthernet0/4 network 10.10.100.0 0.0.0.255
switchport trunk encapsulation dot1q network 10.10.200.0 0.0.0.255
switchport mode trunk network 192.168.51.48 0.0.0.3
! !
interface FastEthernet0/5 ip classless
! no ip http server
interface FastEthernet0/6 !
! ip route 0.0.0.0 0.0.0.0 192.168.51.49
! line con 0
interface FastEthernet0/8 line aux 0
! line vty 0 4
interface FastEthernet0/9 login
! !
interface FastEthernet0/10 no scheduler allocate
! end
interface FastEthernet0/11
!

DSW2 DSW2 (continued)
DSW2#show running-config interface FastEthernet0/11
Building configuration... !
Current configuration : 1970 bytes interface FastEthernet0/12
! !
Version 15.b interface GigabitEthernet0/1
service timestamps debug uptime !
service timestamps log uptime interface GigabitEthernet0/2
no service password-encryption !
! interface Vlan 1
hostname DSW2 no ip address
! no ip route-cache
ip subnet-zero !
! interface Vlan0100
ip cef ip address 10.10.100.2 255.255.255.0
no ip domain-lookup no ip route-cache
spanning-tree mode pvst standby 100 ip 10.10.100.3
spanning-tree vlan 100 priority 28672 standby 100 priority 110
spanning-tree vlan 200 priority 4096 standby 100 preempt
ip routing standby 100 authentication md5 key-string my80$0nL485!
spanning-tree extend system-id !
! interface Vlan0200
interface FastEthernet0/1 ip address 10.10.200.2 255.255.255.0
no switchport no ip route-cache
ip address 192.168.51.54 standby 200 ip 10.10.200.3
255.255.255.252 standby 200 priority 120
! standby 200 preempt
interface FastEthernet0/2 standby 200 authentication md5 key-string my80$0nL485!
switchport trunk encapsulation dot1q standby 200 track decrement 20
! vlan 100 name VLAN0100
interface FastEthernet0/3 vlan 200 name VLAN0200
switchport trunk encapsulation dot1q !
switchport mode trunk router eigrp 100
! network 10.10.100.0 0.0.0.255
interface FastEthernet0/4 network 10.10.200.0 0.0.0.255
switchport trunk encapsulation dot1q network 192.168.51.52 0.0.0.3
! ip classless
interface FastEthernet0/5 no ip http server
! !
interface FastEthernet0/6 ip route 0.0.0.0 0.0.0.0 192.168.51.53
! !
interface FastEthernet0/7 line con 0
! line aux 0
interface FastEthernet0/8 line vty 0 4
! login
! no scheduler allocate
interface FastEthernet0/10 end
!
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.

18-Troubleshooting HSRP Authentication

Uploaded by

Copyright:

Available Formats

You might also like

18-Troubleshooting HSRP Authentication

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

18-Troubleshooting HSRP Authentication

Uploaded by

Copyright:

Available Formats

Lab ID: 10.317A237.TSP.

Troubleshooting HSRP Authentication

1 Boson NetSim Lab Manual

2 Boson NetSim Lab Manual

Device IP Address Subnet Mask Default Gateway

HSRP Feature Configuration

DSW2 Priority Preemption Track Decrement MD5 Key IP Address

3 Boson NetSim Lab Manual

Ticket 1: Troubleshoot HSRP for VLAN 100

4 Boson NetSim Lab Manual

Boson BOSS 5.0 IP Configuration

ASW1#show vlan brief

VLAN Name Status Ports

1002 fddi-default active

5 Boson NetSim Lab Manual

ASW1#show spanning-tree vlan 100

Bridge ID Priority 32868

Interface Role Sts Cost Prio.Nbr Type

ASW2#show spanning-tree vlan 100

Bridge ID Priority 32868

Interface Role Sts Cost Prio.Nbr Type

(continued on next page)

6 Boson NetSim Lab Manual

ASW2#show cdp neighbors

00:03:03: %HSRP-4-BADAUTH: Bad authentication from 10.10.100.2, group 100,

7 Boson NetSim Lab Manual

DSW1#show running-config interface vlan 100

DSW2#show running-config interface vlan 100

DSW2(config)#interface vlan 100

00:08:26: %HSRP-6-STATECHANGE: Vlan0100 Grp 100 state Active -> Speak

8 Boson NetSim Lab Manual

“Type escape sequence to abort.”

1 10.10.100.1 20 msec 16 msec *

9 Boson NetSim Lab Manual

DSW1(config)#interface fastethernet 0/1

“Type escape sequence to abort.”

1 10.10.100.2 20 msec 16 msec *

“Type escape sequence to abort.”

1 10.10.100.1 20 msec 16 msec *

“Type escape sequence to abort.”

1 10.10.200.2 20 msec 16 msec *

11 Boson NetSim Lab Manual

Boson BOSS 5.0 IP Configuration

DSW2#show spanning-tree vlan 200

Bridge ID Priority 32968

DSW2#(config)#spanning-tree vlan 200 priority 4096

DSW2(config)#interface vlan 200

DSW2(config-if)#standby 200 preempt

DSW2(config-if)#standby 200 track fastethernet 0/1 20

DSW2(config-if)#standby 200 ip 10.10.200.3

DSW2(config-if)#standby 200 authentication md5 key-string my80$0nL485!

C:>ipconfig /dg 10.10.200.3

“Type escape sequence to abort.”

1 10.10.200.2 20 msec 16 msec *

13 Boson NetSim Lab Manual

DSW1(config)#interface vlan 200

“Type escape sequence to abort.”

14 Boson NetSim Lab Manual

DSW2(config)#interface fastethernet 0/1