● Configure BGP on R01, R02, and R03 as per above topology.
● Use BGP ASN's 100, 200, and 300, respectively.
● Advertise the Loopback networks of the routers into BGP.
● R03 should peer with both R01 and R02.
● Configure BGP MD5 Authentication in these peering with the password UNINETS.
Please note, before begin to learn about it, you should be very well aware about what is BGP and how it works. Here in this configuration we are more focused on a scenario where both peers require BGP authentication and perform troubleshooting if required.
SW1:
! |
R1:
! hostname R1 |
R2:
! |
R3:
! |
BGP uses TCP for transport, and because TCP already has a specification for authentication, BGP uses TCP authentication instead of a separate internal mechanism. Specifically, it uses TCP Option 19, which is the MD5 Signature Option.
Just like in OSPF md5 authentication types, here also if BGP authentication fails, a peering relationship will not be established. Therefore, the most basic way to verify that BGP authentication is working is to look at the show ip bgp summary output and ensure that the peers are up.
The fact that prefixes are being received implies that the TCP session is up, but this could be further verified by viewing the BGP table, as seen below:
Outside of simply looking at the BGP configuration, authentication can be verified on a per-neighbor basis, as seen below:
A failure in BGP authentication will trigger a syslog message: Note- It may take couple of minutes before these log messages appear.
Note that this is a different error message than if bgp authentication is simply not enabled on the peering, such as seen below: (You may have to reset the BGP neighborship to see these logs) though this is not recommended in production environment.
This is an important difference that we will see later when BGP authenticated sessions pass through either the ASA firewall or the IPS sensor, because the modifications they do to the IP header and payload will affect the TCP MD5 signature.
He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...
More... | Author`s Bog | Book a MeetingHi Deepak, I read your blogs and most of them are with practical scenarios which are helping me to understand the concepts. Please keep doing this job. Thank you!!
It is a nice article, I prepared the same topology in GNS and BGP authentication between two peers are working. It is also right that error messages are different when password is not configured and wrong password is configured between bgp peers.
Full marks to the author.