BGP Authentication and Troubleshooting

Created by Deepak Sharma in Articles 23 Jun 2024

«What is BGP and How Does it Work?

Cisco BGP Authentication - Tasks

● Configure BGP on R01, R02, and R03 as per above topology.

● Use BGP ASN's 100, 200, and 300, respectively.

● Advertise the Loopback networks of the routers into BGP.

● R03 should peer with both R01 and R02.

● Configure BGP MD5 Authentication in these peering with the password UNINETS.

Please note, before begin to learn about it, you should be very well aware about what is BGP and how it works. Here in this configuration we are more focused on a scenario where both peers require BGP authentication and perform troubleshooting if required.

BGP Authentication and other Configuration Commands

SW1:

!
hostname SW1
!
vlan 13
name R1-R3
vlan 23
name R2-R3
!
interface GigabitEthernet0/1
switchport access vlan 13
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet0/2
switchport access vlan 23
switchport mode access
spanning-tree portfast edge
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast edge trunk
!

R1:

hostname R1
!
interface Loopback0
ip address 150.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.1.13.1 255.255.255.0
no shutdown
!
router bgp 100
network 150.1.1.1 mask 255.255.255.255
neighbor 192.1.13.3 remote-as 300
neighbor 192.1.13.3 password UNINETS
!

R2:

!
hostname R2
!
interface Loopback0
ip address 150.1.2.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.1.23.2 255.255.255.0
no shutdown
!
router bgp 200
network 150.1.2.2 mask 255.255.255.255
neighbor 192.1.23.3 remote-as 300
neighbor 192.1.23.3 password UNINETS
!

R3:

!
hostname R3
!
interface Loopback0
ip address 150.1.3.3 255.255.255.255
!
interface GigabitEthernet0/0
no ip address
no shutdown
!
interface GigabitEthernet0/0.13
encapsulation dot1Q 13
ip address 192.1.13.3 255.255.255.0
!
interface GigabitEthernet0/0.23
encapsulation dot1Q 23
ip address 192.1.23.3 255.255.255.0
!
router bgp 300
network 150.1.3.3 mask 255.255.255.255
neighbor 192.1.13.1 remote-as 100
neighbor 192.1.13.1 password UNINETS
neighbor 192.1.23.2 remote-as 200
neighbor 192.1.23.2 password UNINETS
!

BGP Authentication Methods

BGP uses TCP for transport, and because TCP already has a specification for authentication, BGP uses TCP authentication instead of a separate internal mechanism. Specifically, it uses TCP Option 19, which is the MD5 Signature Option.

Just like in OSPF md5 authentication types, here also if BGP authentication fails, a peering relationship will not be established. Therefore, the most basic way to verify that BGP authentication is working is to look at the show ip bgp summary output and ensure that the peers are up.

banner image

The fact that prefixes are being received implies that the TCP session is up, but this could be further verified by viewing the BGP table, as seen below:

banner image

Outside of simply looking at the BGP configuration, authentication can be verified on a per-neighbor basis, as seen below:

banner image

A failure in BGP authentication will trigger a syslog message: Note- It may take couple of minutes before these log messages appear.

banner image

Note that this is a different error message than if bgp authentication is simply not enabled on the peering, such as seen below: (You may have to reset the BGP neighborship to see these logs) though this is not recommended in production environment.

banner image

This is an important difference that we will see later when BGP authenticated sessions pass through either the ASA firewall or the IPS sensor, because the modifications they do to the IP header and payload will affect the TCP MD5 signature.

BGP States: Troubleshoot Active Neighbor»

Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

#Explore latest news and articles

25 Jun 2024

BGP Best Path Selection Criteria

Understand BGP best path selection criteria & algorithm based on prefix attributes using weight configuration scenarios on Cisco routers. Read More!

Deepak Sharma

23 Jun 2024

BGP MED Attribute Configuration Example

Understand the BGP MED attribute using a Practical Scenario Configuration on BGP Lab @ UniNets.

Deepak Sharma

23 Jun 2024

OSPF MD5 Authentication: Securing OSPF

Dive into OSPF MD5 authentication and troubleshooting steps. Discover the importance and setup of OSPF authentication in networks.

Deepak Sharma

Comments (2)

Dcancerian Student

29 Sep 2023 | 10:28 pm

It is a nice article, I prepared the same topology in GNS and BGP authentication between two peers are working. It is also right that error messages are different when password is not configured and wrong password is configured between bgp peers.
Full marks to the author.

sanchit thareja Student

12 Oct 2023 | 11:40 pm

Hi Deepak, I read your blogs and most of them are with practical scenarios which are helping me to understand the concepts. Please keep doing this job. Thank you!!