Image of Cortney & Jeremy

Configuring MD5 Authentication for BGP Peers

by Jeremy L. Gaddis on July 10, 2009 · 2 comments

in Networking

I got an e-mail recently from a reader who asked me about how to set up MD5 authentication between a pair of BGP peers, so I thought I’d do a quick write-up and example.

Setting up MD5 authentication is really simple. For our example, we’ll use a pair of routers connected over their serial 0/0 interfaces:

In addition to the addressing information in the diagram:

  • we’ll configure R5’s loopback 0 interface with IP address 5.5.5.5/24,
  • we’ll configure R7’s loopback 0 interface with IP address 7.7.7.7/24,
  • we’ll advertise both of those networks in BGP,
  • R5 is in AS 65005 and R7 is in AS 65007, and
  • we’ll use a password of “8F3NHBrisX”.

This is nearly identical to a previous write-up, “Configuring Basic BGP“, with the authentication added in.

First, let’s configure the loopback 0 interfaces:

R5# configure terminal
R5(config)# interface loopback 0
R5(config-if)# ip address 5.5.5.5 255.255.255.0
R7# configure terminal
R7(config)# interface loopback 0
R7(config-if)# ip address 7.7.7.7 255.255.255.0

Now bring up the connection between R5 and R7:

R5(config)# interface serial 0/0
R5(config-if)# ip address 172.16.57.5 255.255.255.0
R5(config-if)# no shutdown
R7(config-if)# interface serial 0/0
R7(config-if)# ip address 172.16.57.7 255.255.255.0
R7(config-if)# no shutdown

Make sure we have connectivity:

R5(config-if)# do ping 172.16.57.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.57.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Now we can begin configuring BGP. R5 will be in AS 65005, advertise the 5.5.5.0/24 network, and peer with 172.16.57.7 (AS 65007) using our password “8F3NHBrisX”:

R5(config-if)# router bgp 65005
R5(config-router)# network 5.5.5.0 mask 255.255.255.0
R5(config-router)# neighbor 172.16.57.7 remote-as 65007
R5(config-router)# neighbor 172.16.57.7 password 8F3NHBrisX

We’ll configure R7 in a similar manner. It is in AS 65007, will advertise the 7.7.7.0/24 network, and peer with 172.16.57.5 (AS 65005) using the same password:

R7(config-if)# router bgp 65007
R7(config-router)# network 7.7.7.0 mask 255.255.255.0
R7(config-router)# neighbor 172.16.57.5 remote-as 65005
R7(config-router)# neighbor 172.16.57.5 password 8F3NHBrisX

We’ll see the BGP adjacency come up…

R7(config-router)#
*Mar  1 00:05:31.191: %BGP-5-ADJCHANGE: neighbor 172.16.57.5 Up

…and can see that we’re exchanging routes:

R7(config-router)# do show ip route bgp
     5.0.0.0/24 is subnetted, 1 subnets
B       5.5.5.0 [20/0] via 172.16.57.5, 00:01:07

We should now be able to ping loopback to loopback:

R7(config-router)# do ping 5.5.5.5 source 7.7.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 7.7.7.7
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Here’s the whole thing, from start to finish:

{ 2 comments… read them below or add one }

Leave a Comment

Previous post:

Next post: