Sunday 14 March 2021

BGP Chapter 20 - BGP Authentication

Simple
Supports Message Digest 5 (MD5) algorithm
Not mandatory
Incase used both the peers should have same password to form BGP neighborship. 

 


 

 

BGP Authentication

 


R1
==============

config t
hostname R1
int eth1/0
ip add 12.1.1.1 255.255.255.0
no shut
exit
exit

config t
int loopback 0
ip add 1.1.1.1 255.255.255.255
exit
exit

config t
ip route 2.2.2.2 255.255.255.255 eth1/0

R2
==============

config t
hostname R2
int eth1/0
ip add 12.1.1.2 255.255.255.0
no shut
exit
exit

config t
int loopback 0
ip add 2.2.2.2 255.255.255.255
exit
exit

config t
ip route 1.1.1.1 255.255.255.255 eth1/0

BGP Configuration
=====================

R1
====
config t
router bgp 100
neighbor 2.2.2.2 remote-as 200
neighbor 2.2.2.2 update-source loopback 0
neighbor 2.2.2.2 ebgp-multihop 255
neighbor 2.2.2.2 soft-reconfiguration in
exit
exit

R2
====
config t
router bgp 200
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source loopback 0
neighbor 1.1.1.1 ebgp-multihop 255
neighbor 1.1.1.1 soft-reconfiguration in
exit
exit

BGP Authentication Configuration
==================================
R1
====

R1(config)#
R1(config)#router bgp 100
R1(config-router)#neighbor 2.2.2.2 password ?
  <0-7>  Encryption type (0 to disable encryption, 7 for proprietary)
  LINE   The password

R1(config-router)#neighbor 2.2.2.2 password cisco123
R1(config-router)#exit
R1(config)#
R1(config)#exit


*Mar 13 14:09:37.667: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(33269) to 1.1.1.1(179) tableid - 0
*Mar 13 14:09:39.663: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(33269) to 1.1.1.1(179) tableid - 0
*Mar 13 14:09:43.671: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(33269) to 1.1.1.1(179) tableid - 0
*Mar 13 14:09:51.671: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(33269) to 1.1.1.1(179) tableid - 0

Lets quickly configure on R2 also

R2
====
config t
router bgp 200
neighbor 1.1.1.1 password cisco123
exit

After configuration the neighborship is now up

Logs on R1
=================
*Mar 13 14:12:31.591: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(27868) to 1.1.1.1(179) tableid - 0
*Mar 13 14:12:39.591: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(27868) to 1.1.1.1(179) tableid - 0
*Mar 13 14:13:01.599: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up

R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4          200       4       5        1    0    0 00:00:48        0


Now I have configured wrong password on R2

R2(config)#router bgp 200
R2(config-router)#neighbor 1.1.1.1 password cisco
R2(config-router)#exit
R2(config)#exit

Logs on R1
=================
*Mar 13 14:17:13.019: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(27879) to 1.1.1.1(179) tableid - 0
*Mar 13 14:17:35.879: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(20365) to 1.1.1.1(179) tableid - 0
*Mar 13 14:17:37.879: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(20365) to 1.1.1.1(179) tableid - 0
*Mar 13 14:17:40.219: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(179) to 1.1.1.1(13155) tableid - 0
*Mar 13 14:17:41.879: %TCP-6-BADAUTH: Invalid MD5 digest from 2.2.2.2(20365) to 1.1.1.1(179) tableid - 0


R1#sh ip bgp summary
BGP router identifier 1.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4          200       0       0        1    0    0 00:01:07 Active

R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4          100       0       0        1    0    0 00:02:15 Active


Now lets switchback and make the correction in password

& neigbhorship is up

R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4          100       4       4        1    0    0 00:00:05        0

R1#sh run | section bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 2.2.2.2 remote-as 200
 neighbor 2.2.2.2 password cisco123
 neighbor 2.2.2.2 ebgp-multihop 255
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 2.2.2.2 soft-reconfiguration inbound

R2#sh run | sec bgp
router bgp 200
 bgp log-neighbor-changes
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 password cisco123
 neighbor 1.1.1.1 ebgp-multihop 255
 neighbor 1.1.1.1 update-source Loopback0
 neighbor 1.1.1.1 version 4
 neighbor 1.1.1.1 soft-reconfiguration inbound


Thanks for Reading !!!!

amartechstuff

 

No comments:

Post a Comment