I got an e-mail recently from a reader who asked me about how to set up MD5 authentication between a pair of BGP peers, so I thought I’d do a quick write-up and example.
Setting up MD5 authentication is really simple. For our example, we’ll use a pair of routers connected over their serial 0/0 interfaces:
In addition to the addressing information in the diagram:
- we’ll configure R5′s loopback 0 interface with IP address 5.5.5.5/24,
- we’ll configure R7′s loopback 0 interface with IP address 7.7.7.7/24,
- we’ll advertise both of those networks in BGP,
- R5 is in AS 65005 and R7 is in AS 65007, and
- we’ll use a password of “8F3NHBrisX”.
This is nearly identical to a previous write-up, “Configuring Basic BGP“, with the authentication added in.
First, let’s configure the loopback 0 interfaces:
R5# configure terminal R5(config)# interface loopback 0 R5(config-if)# ip address 5.5.5.5 255.255.255.0
R7# configure terminal R7(config)# interface loopback 0 R7(config-if)# ip address 7.7.7.7 255.255.255.0
Now bring up the connection between R5 and R7:
R5(config)# interface serial 0/0 R5(config-if)# ip address 172.16.57.5 255.255.255.0 R5(config-if)# no shutdown
R7(config-if)# interface serial 0/0 R7(config-if)# ip address 172.16.57.7 255.255.255.0 R7(config-if)# no shutdown
Make sure we have connectivity:
R5(config-if)# do ping 172.16.57.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.57.7, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
Now we can begin configuring BGP. R5 will be in AS 65005, advertise the 5.5.5.0/24 network, and peer with 172.16.57.7 (AS 65007) using our password “8F3NHBrisX”:
R5(config-if)# router bgp 65005 R5(config-router)# network 5.5.5.0 mask 255.255.255.0 R5(config-router)# neighbor 172.16.57.7 remote-as 65007 R5(config-router)# neighbor 172.16.57.7 password 8F3NHBrisX
We’ll configure R7 in a similar manner. It is in AS 65007, will advertise the 7.7.7.0/24 network, and peer with 172.16.57.5 (AS 65005) using the same password:
R7(config-if)# router bgp 65007 R7(config-router)# network 7.7.7.0 mask 255.255.255.0 R7(config-router)# neighbor 172.16.57.5 remote-as 65005 R7(config-router)# neighbor 172.16.57.5 password 8F3NHBrisX
We’ll see the BGP adjacency come up…
R7(config-router)# *Mar 1 00:05:31.191: %BGP-5-ADJCHANGE: neighbor 172.16.57.5 Up
…and can see that we’re exchanging routes:
R7(config-router)# do show ip route bgp
5.0.0.0/24 is subnetted, 1 subnets
B 5.5.5.0 [20/0] via 172.16.57.5, 00:01:07
We should now be able to ping loopback to loopback:
R7(config-router)# do ping 5.5.5.5 source 7.7.7.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Packet sent with a source address of 7.7.7.7 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
