USD ($)
$
United States Dollar
India Rupee

BGP Authentication and Troubleshooting

Created by Deepak Sharma in Articles 12 May 2024
Share

Cisco BGP Authentication - Tasks

● Configure BGP on R01, R02, and R03 as per above topology.

● Use BGP ASN's 100, 200, and 300, respectively.

● Advertise the Loopback networks of the routers into BGP.

● R03 should peer with both R01 and R02.

● Configure BGP MD5 Authentication in these peering with the password UNINETS.

Please note, before begin to learn about it, you should be very well aware about what is BGP and how it works. Here in this configuration we are more focused on a scenario where both peers require BGP authentication and perform troubleshooting if required.  


BGP Authentication and other Configuration Commands

SW1:

!
hostname SW1
!
vlan 13
 name R1-R3
vlan 23
 name R2-R3
!
interface GigabitEthernet0/1
 switchport access vlan 13
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet0/2
 switchport access vlan 23
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast edge trunk
!

R1:

!

hostname R1
!
interface Loopback0
 ip address 150.1.1.1 255.255.255.255
!         
interface GigabitEthernet0/0
 ip address 192.1.13.1 255.255.255.0
 no shutdown
!         
router bgp 100
 network 150.1.1.1 mask 255.255.255.255
 neighbor 192.1.13.3 remote-as 300
 neighbor 192.1.13.3 password UNINETS
!

R2:

!
hostname R2
!
interface Loopback0
 ip address 150.1.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 192.1.23.2 255.255.255.0
 no shutdown
!
router bgp 200
 network 150.1.2.2 mask 255.255.255.255
 neighbor 192.1.23.3 remote-as 300
 neighbor 192.1.23.3 password UNINETS
!

R3:

!
hostname R3
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.255
!         
interface GigabitEthernet0/0
 no ip address
 no shutdown
!         
interface GigabitEthernet0/0.13
 encapsulation dot1Q 13
 ip address 192.1.13.3 255.255.255.0
!         
interface GigabitEthernet0/0.23
 encapsulation dot1Q 23
 ip address 192.1.23.3 255.255.255.0
!    
router bgp 300
 network 150.1.3.3 mask 255.255.255.255
 neighbor 192.1.13.1 remote-as 100
 neighbor 192.1.13.1 password UNINETS
 neighbor 192.1.23.2 remote-as 200
 neighbor 192.1.23.2 password UNINETS
!


BGP Authentication Methods

BGP uses TCP for transport, and because TCP already has a specification for authentication, BGP uses TCP authentication instead of a separate internal mechanism. Specifically, it uses TCP Option 19, which is the MD5 Signature Option. 

Just like in OSPF md5 authentication types, here also if BGP authentication fails, a peering relationship will not be established. Therefore, the most basic way to verify that BGP authentication is working is to look at the show ip bgp summary output and ensure that the peers are up. 


The fact that prefixes are being received implies that the TCP session is up, but this could be further verified by viewing the BGP table, as seen below: 


Outside of simply looking at the BGP configuration, authentication can be verified on a per-neighbor basis, as seen below:

A failure in BGP authentication will trigger a syslog message: Note- It may take couple of minutes before these log messages appear.

Note that this is a different error message than if bgp authentication is simply not enabled on the peering, such as seen below: (You may have to reset the BGP neighborship to see these logs) though this is not recommended in production environment.

This is an important difference that we will see later when BGP authenticated sessions pass through either the ASA firewall or the IPS sensor, because the modifications they do to the IP header and payload will affect the TCP MD5 signature.


Don't Miss to Checkout our Next Articles

Understanding VRF Lite and its Configuration

Implementing IPSec over GRE on Cisco IOS Routers



Other Popular & Useful Articles

Configuration Example for BGP MED Attribute

Essential Overview of BGP Attributes




Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Comments (2)

Dcancerian Student
29 Sep 2023 | 10:28 pm

It is a nice article, I prepared the same topology in GNS and BGP authentication between two peers are working. It is also right that error messages are different when password is not configured and wrong password is configured between bgp peers.
Full marks to the author.

sanchit thareja Student
12 Oct 2023 | 11:40 pm

Hi Deepak, I read your blogs and most of them are with practical scenarios which are helping me to understand the concepts. Please keep doing this job. Thank you!!

Deepak Sharma

Deepak Sharma

Senior Instructor (Part Time) at UniNets Instructor role
★★★★★ 4.95
Faithful User
Expert Vendor
Golden Classes
King Seller
Fantastic Support
Loyal Writer

Upcoming batches

+91 84484 40748

Enquire Now

Share to your friends

Share

Share this post with others

Contact learning advisor

New Cisco ACI Training Live Batch Starts June 15th!
New Cisco ACI Training Live Batch Starts June 15th!
Advance your career? Don't miss out on our Cisco Application Centric Infrastructure (ACI) training ...
Enroll Now