BGP Authentication

OcNOS-SP : Layer 3 Guide : Layer 3 Unicast Configuration Guide : BGP : BGP Authentication

BGP Authentication

BGP authentication allows users to receive selected routing information, enhancing security of their network traffic. When BGP authentication is enabled on a router, the router verifies routing packets it receives by exchanging a password that is configured on both the sending and receiving routers.

In this example, both R1 and R2 have ABC as the password. Configure the same password on all routers that are to communicate using BGP in a network.

Topology

Figure 1-38: BGP Authentication

Configuration

#configure terminal	Enter configure mode
(config)#interface xe0	Enter interface mode
(config-if)#ip address 10.10.10.10/24	Assign ip address
(config-if)#exit	Exit interface mode
(config)#router bgp 200	Enter BGP router mode
(config-router)#neighbor 10.10.10.11 remote-as 300	Configure neighborship
(config-router)#neighbor 10.10.10.11 authentication-key 0 ABC	Configure authentication for BGP neighbors
(config-router)#address-family ipv4 unicast	Enter ipv4 address family
(config-router-af)#neighbor 10.10.10.11 activate	Activate neighborship
(config-router-af)#exit-address-family	Exit address family
(config-router)#exit	End config mode
(config)#commit	Commit the candidate configuration to the running configuration.

#configure terminal	Enter configure mode
(config)#interface ce2/1	Enter interface mode
(config-if)#ip address 10.10.10.11/24	Assign ip address
(config-if)#exit	Exit interface mode
(config)#router bgp 200	Enter BGP router mode
(config-router)#neighbor 10.10.10.10 remote-as 200	Configure neighborship
(config-router)#neighbor 10.10.10.10 authentication-key 0 ABC	Configure authentication for BGP neighbors
(config-router)#address-family ipv4 unicast	Enter ipv4 address family
(config-router-af)#neighbor 10.10.10.10 activate	Activate neighborship
(config-router-af)#exit-address-family	Exit address family
(config-router)#exit	End config mode
(config)#commit	Commit the candidate configuration to the running configuration.

Validation

#show running-config bgp

router bgp 200

neighbor 10.10.10.11 remote-as 300

neighbor 10.10.10.11 authentication-key 0x624ac41428f81e33

address-family ipv4 unicast

neighbor 10.10.10.11 activate

exit-address-family

#show ip bgp neighbors

BGP neighbor is 10.10.10.11, remote AS 300, local AS 200, external link

BGP version 4, local router ID 22.22.22.22, remote router ID 2.2.2.2

BGP state = Established, up for 00:09:14

Last read 00:00:19, hold time is 90, keepalive interval is 30 seconds

Neighbor capabilities:

Route refresh: advertised and received (old and new)

Address family IPv4 Unicast: advertised and received

Received 23 messages, 0 notifications, 0 in queue

Sent 24 messages, 0 notifications, 0 in queue

Route refresh request: received 0, sent 0

Minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast

BGP table version 1, neighbor version 1

Index 1, Offset 0, Mask 0x2

Community attribute sent to this neighbor (both)

0 accepted prefixes

0 announced prefixes

Connections established 1; dropped 0

Local host: 10.10.10.10, Local port: 179

Foreign host: 10.10.10.11, Foreign port: 37590

Nexthop: 10.10.10.10

Nexthop global: ::

Nexthop local: ::

BGP connection: non shared network

#show running-config bgp

router bgp 300

neighbor 10.10.10.10 remote-as 200

neighbor 10.10.10.10 authentication-key 0x624ac41428f81e33

address-family ipv4 unicast

neighbor 10.10.10.10 activate

exit-address-family

#show ip bgp neighbors

BGP neighbor is 10.10.10.10, remote AS 200, local AS 300, external link

BGP version 4, local router ID 2.2.2.2, remote router ID 22.22.22.22

BGP state = Established, up for 00:13:57

Last read 00:00:22, hold time is 90, keepalive interval is 30 seconds