BGP Neighbor Authentication Overview

BGP neighbor authentication establishes a neighbor only with a legitimate BGP router. Originally, BGP requires neighbors to explicitly configure each other as neighbors. Therefore, other routers will not become neighbors on their own if they are not authenticated like OSPF or EIGRP. However, authentication of BGP neighbors is important for establishing secure neighbors.

Configuring BGP Neighbor Authentication

Authentication for BGP neighbors is very simple. The command is as follows.

Configuring BGP Neighbor Authentication

Router(config)#router bgp <AS>
Router(config-router)#neighbor <ip-address> password <password>

<AS>:AS number
<ip-address>:Neighbor IP address
<password>: case-sensitive password

Example of BGP neighbor authentication configuration

Configure neighbor authentication with the following network diagram.

Fig. Configuring BGP neighbor authentication
Fig. Configuring BGP neighbor authentication

R1およびISP1でネイバー認証の設定を行います。

R1 BGP neighbor authentication

router bgp 100
 neighbor 172.16.1.11 password n-study

ISP1 neighbor authentication

router bgp 1
 neighbor 172.16.1. 1 password n-study

If the state of the neighbor is Established, the authentication is working correctly. There are two ways in which authentication can go wrong

  1. Only one of them has the neighbor password command configured.
    The following message is displayed
    *Mar 1 00:19:16.960: %TCP-6-BADAUTH: No MD5 digest from 172.16.1.11(179) to 172.16.1.1(11000) (RST)
  2. The password that is configured does not match.
    The following message is displayed
    *Mar 1 00:27:54.015: %TCP-6-BADAUTH: Invalid MD5 digest from 172.16.1.11(179) to 172.16.1.1(11002)

This is not limited to BGP neighbor authentication, but when configuring a password, be careful not to include a space at the end of the string.