BGP IPv4 - MD5 Authentication
MD5 Authentication
BGP IPv4 MD5 Authentication is a security feature employed in Border Gateway Protocol (BGP) to enhance the integrity and authenticity of routing information exchanged between routers. It involves the use of Message Digest 5 (MD5) cryptographic hashing to create a secure hash value, which is transmitted along with BGP updates. This hash value acts as a digital signature, allowing routers to verify the legitimacy of received BGP messages. By implementing MD5 Authentication, network administrators can mitigate the risk of unauthorized route manipulations and ensure the trustworthiness of BGP peering relationships in their networks.
Lab:
BGP Topology
Disclaimer
This Configuration Guide is designed to assist members to enhance their skills in particular technology area. While every effort has been made to ensure that all material is as complete and accurate as possible, the enclosed material is presented on an “as is” basis. Neither the authors nor Forum assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this guide. This configuration guide was developed by Forum. Any similarities between material presented in this configuration guide and any other material is completely coincidental.
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.2(4)M1, DEVELOPMENT TEST SOFTWARE
Task 1: Configure IPv4 BGP Process for Autonomous
Step 1: In the configuration mode of router configure IPv4 BGP and OSPF Process where needed by following command:
R1:
interface Loopback1
ip address 11.0.1.1 255.255.255.0
interface Loopback2
ip address 11.0.2.1 255.255.255.0
interface Loopback3
ip address 11.0.3.1 255.255.255.0
interface Serial2/0
ip address 12.0.0.1 255.255.255.0
no shutdown
router bgp 65100
neighbor 22.0.1.2 remote-as 65000
neighbor 22.0.1.2 ebgp-multihop 5
neighbor 22.0.1.2 update-source loopback 1
exit
ip route 22.0.1.2 255.255.255.255 12.0.0.2
R2:
interface Loopback1
ip address 22.0.1.2 255.255.255.0
interface Loopback2
ip address 22.0.2.2 255.255.255.0
interface Loopback3
ip address 22.0.3.2 255.255.255.0
interface Ethernet0/0
ip address 23.0.0.2 255.255.255.0
no shutdown
interface Serial2/0
ip address 12.0.0.2 255.255.255.0
no shutdown
exit
router ospf 1
interface Ethernet 0/0
ip ospf 1 area 0
exit
router bgp 65000
neighbor 11.0.1.1 remote-as 65100
neighbor 11.0.1.1 ebgp-multihop 5
neighbor 11.0.1.1 update-source Loopback 1
neighbor 23.0.0.3 remote-as 65000
neighbor 23.0.0.3 next-hop-self
exit
ip route 11.0.1.1 255.255.255.255 12.0.0.1
R3:
interface Loopback1
ip address 33.0.1.3 255.255.255.0
interface Loopback2
ip address 33.0.2.3 255.255.255.0
interface Loopback3
ip address 33.0.3.3 255.255.255.0
interface Ethernet0/0
ip address 23.0.0.3 255.255.255.0
no shutdown
interface Serial2/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
router ospf 1
interface ethernet 0/0
ip ospf 1 area 0
exit
router bgp 65000
neighbor 23.0.0.2 remote-as 65000
neighbor 44.0.1.4 remote-as 65200
neighbor 44.0.1.4 ebgp-multihop 5
neighbor 44.0.1.4 update-source Loopback 1
exit
ip route 44.0.1.4 255.255.255.255 34.0.0.4
R4:
interface Loopback1
ip address 44.0.1.4 255.255.255.0
interface Loopback2
ip address 44.0.2.4 255.255.255.0
interface Loopback3
ip address 44.0.3.4 255.255.255.0
interface Serial2/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
router bgp 65200
neighbor 33.0.1.3 remote-as 65000
neighbor 33.0.1.3 ebgp-multihop 5
neighbor 33.0.1.3 update-source Loopback1
exit
ip route 33.0.1.3 255.255.255.255 34.0.0.3
Step 2: Configure as 65000 such that r3 will forward routes 11.x.x.x/24 if the same is synchronized via OSPF.
R1:
router bgp 65100
network 11.0.1.0 mask 255.255.255.0
network 11.0.2.0 mask 255.255.255.0
network 11.0.3.0 mask 255.255.255.0
exit
Step 3: Verify whether routes have emerged into R2’s and R3’s BGP table
NOTE: Because Synchronization is turned off by default, the routes appear in R3’s BGP table.
R3#show bgp ipv4 unicast
BGP table version is 4, local router ID is 33.0.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter, a additional-path
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i11.0.1.0/24 23.0.0.2 0 100 0 65100 i
*>i11.0.2.0/24 23.0.0.2 0 100 0 65100 i
*>i11.0.3.0/24 23.0.0.2 0 100 0 65100 i
Step 4: Enable Synchronization on R3
R3:
router bgp 65000
synchronization
exit
Step 5: Verify whether Synchronization has taken place
R3#show bgp ipv4 unicast
BGP table version is 4, local router ID is 33.0.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter, a additional-path
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i11.0.1.0/24 23.0.0.2 0 100 0 65100 i
* i11.0.2.0/24 23.0.0.2 0 100 0 65100 i
* i11.0.3.0/24 23.0.0.2 0 100 0 65100 i
Step 6: Redistribute BGP into OSPF on R2
R2:
router ospf 1
redistribute bgp 65000 subnets route-map cisco
route-map cisco permit 10
match ip address prefix-list disco
ip prefix-list disco seq 10 permit 11.0.2.0/24
ip prefix-list disco seq 15 permit 11.0.3.0/24
ip prefix-list disco seq 20 permit 11.0.1.0/24
Verify the Redistribution on R3
R3#show ip route | inc O E2
O E2 11.0.1.0 [110/1] via 23.0.0.2, 00:02:38, FastEthernet0/0
O E2 11.0.2.0 [110/1] via 23.0.0.2, 00:03:25, FastEthernet0/0
O E2 11.0.3.0 [110/1] via 23.0.0.2, 00:03:21, FastEthernet0/0
Hence redistribution has been done successfully
NOTE: As soon as R3 will receive 11.0.x.0/24 routes via OSPF and BGP, the routes will synchronizes with each other.
Step 7: Verification of Synchronization
R3#show bgp ipv4 unicast
BGP table version is 13, local router ID is 33.0.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter, a additional-path
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r>i 11.0.1.0/24 23.0.0.2 0 100 0 65100 i
r>i 11.0.2.0/24 23.0.0.2 0 100 0 65100 i
r>i 11.0.3.0/24 23.0.0.2 0 100 0 65100 i
R3#sh ip bgp 11.0.1.0/24
BGP routing table entry for 11.0.1.0/24, version 2
Paths: (1 available, best #1, table default, RIB-failure(17))
Advertised to update-groups:
11
Refresh Epoch 1
65100
23.0.0.2 from 23.0.0.2 (22.0.3.2)
Origin IGP, metric 0, localpref 100, valid, internal, synchronized, best
R3#sh ip bgp 11.0.2.0/24
BGP routing table entry for 11.0.2.0/24, version 3
Paths: (1 available, best #1, table default, RIB-failure(17))
Advertised to update-groups:
11
Refresh Epoch 1
65100
23.0.0.2 from 23.0.0.2 (22.0.3.2)
Origin IGP, metric 0, localpref 100, valid, internal, synchronized, best
R3#sh ip bgp 11.0.3.0/24
BGP routing table entry for 11.0.3.0/24, version 4
Paths: (1 available, best #1, table default, RIB-failure(17))
Advertised to update-groups:
11
Refresh Epoch 1
65100
23.0.0.2 from 23.0.0.2 (22.0.3.2)
Origin IGP, metric 0, localpref 100, valid, internal, synchronized, best
R3#sh ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 33.0.3.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Routing Information Sources:
Gateway Distance Last Update
2.2.2.2 110 00:09:14
22.0.3.2 110 00:07:17
44.0.3.4 110 00:07:57
Distance: (default is 110)
R3#show bgp ipv4 unicast
BGP table version is 4, local router ID is 33.0.3.3
NOTE: The router-id for OSPF and BGP need to match for these routing protocols to synchronize with each other. If not, then they will not synchronize. In the above example, both OSPF and BGP have same router-id by default and hence need no further configuration to synchronize.
Router-id for ospf can be set using the “router-id x.x.x.x” command.
Router-id for bgp can be set using the “bgp router-id x.x.x.x” command
R2:
router ospf 1
router-id 2.2.2.2
exit
clear ip ospf process
Verification on R3
R3#sh ip bgp 11.0.1.0/24
BGP routing table entry for 11.0.1.0/24, version 5
Paths: (1 available, no best path)
Not advertised to any peer
Refresh Epoch 1
65100
23.0.0.2 from 23.0.0.2 (22.0.3.2)
Origin IGP, metric 0, localpref 100, valid, internal, not synchronized
Now because the Router-id’s do not match, routes are not synchronised.