Authentication
Scenario to verify BGP peer-group password and encrypted-password inheritance. MD5 authentication protects BGP sessions against spoofed TCP segments by requiring both peers to share a secret. Two configuration methods exist:
password <plain-text>: Accepts a plain-text password that is automatically stored and displayed in encrypted form for security reasons, so the documentation shows the encrypted version.
encrypted-password <hash>: Accepts an already-encrypted password string, useful for bulk provisioning or configuration templates.
When the passwords do not match between peers, the TCP MD5 signature check fails and the BGP session cannot establish. When configured on a peer-group, all members of the group inherit the authentication credentials.
Test iBGP - Peer-group password authentication
Description
Test password and encrypted-password on a peer-group with match and mismatch scenarios.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer peer-group MYGROUP set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 peer-group MYGROUP encrypted-password U2FsdGVkX1/4Qv3i875HevPX2lFxZEFt/x6y6gdGvfc= set protocols bgp 20 peer-group MYGROUP remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1/+i+8p1TlYToQ2Ho9TerfmqzNnGk0eHZw= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session does NOT establish with mismatched password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*never.*(Connect|Active)Show output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Peer groups 1, using 64 bytes of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 0 0 0 0 0 never Connect 0 0 N/A Total number of neighbors 1
Attention
Verify DUT0 does NOT receive route 1.1.1.0/24.
Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:
1.1.1.0/24Show output
No BGP prefixes displayed, 0 exist
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer peer-group MYGROUP set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 peer-group MYGROUP encrypted-password U2FsdGVkX1/e+TlpCqcrPqiIVw2zzh5lCzaFlcGTni4= set protocols bgp 20 peer-group MYGROUP remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX18Dx7MMWa1oAy070WK8FwauQXDnRLTh67I= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session establishes with password authentication.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 2 RIB entries 3, using 384 bytes of memory Peers 1, using 24 KiB of memory Peer groups 1, using 64 bytes of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 5 4 2 0 0 00:00:01 Established 2 0 FRRouting/10.4.1 Total number of neighbors 1
Attention
Verify DUT0 receives route 1.1.1.0/24 from DUT1.
Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:
1.1.1.0/24Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0 Default local pref 100, local AS 20 local address - Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *ui 1.1.1.0/24 10.10.0.200 0 100 0 ? *ui 10.10.0.0/24 10.10.0.200 0 100 0 ? Displayed 2 routes and 2 total paths
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer peer-group MYGROUP set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 peer-group MYGROUP encrypted-password U2FsdGVkX1/JfGGaUkb0q6xZDfjT0zGOUcIEhx/qtR8= set protocols bgp 20 peer-group MYGROUP remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX18uRcsq3kyWkTNh+EoR6KfyOblld5OvZ4I= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session does NOT establish with mismatched encrypted-password.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*never.*(Connect|Active)Show output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 0 RIB entries 0, using 0 bytes of memory Peers 1, using 24 KiB of memory Peer groups 1, using 64 bytes of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 0 0 0 0 0 never Connect 0 0 N/A Total number of neighbors 1
Attention
Verify DUT0 does NOT receive route 1.1.1.0/24.
Step 4: Run command protocols bgp show ip at DUT0 and check if output does not match the following regular expressions:
1.1.1.0/24Show output
No BGP prefixes displayed, 0 exist
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.10.0.100/24 set protocols bgp 20 neighbor peer peer-group MYGROUP set protocols bgp 20 neighbor peer remote-address 10.10.0.200 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 peer-group MYGROUP encrypted-password U2FsdGVkX1/JfGGaUkb0q6xZDfjT0zGOUcIEhx/qtR8= set protocols bgp 20 peer-group MYGROUP remote-as 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces dummy dum0 address 1.1.1.1/24 set interfaces ethernet eth0 address 10.10.0.200/24 set protocols bgp 20 neighbor peer encrypted-password U2FsdGVkX1/JfGGaUkb0q6xZDfjT0zGOUcIEhx/qtR8= set protocols bgp 20 neighbor peer remote-address 10.10.0.100 set protocols bgp 20 neighbor peer remote-as 20 set protocols bgp 20 redistribute connected set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Attention
Verify iBGP session establishes with encrypted-password authentication.
Step 3: Run command protocols bgp show ip summary at DUT0 and check if output matches the following regular expressions:
10.10.0.200.*EstablishedShow output
IPv4 Unicast Summary: BGP router identifier 10.10.0.100, local AS number 20 VRF default vrf-id 0 BGP table version 2 RIB entries 3, using 384 bytes of memory Peers 1, using 24 KiB of memory Peer groups 1, using 64 bytes of memory Neighbor LocalAddr V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State PfxRcd PfxSnt Desc 10.10.0.200 10.10.0.100 4 20 5 4 2 0 0 00:00:01 Established 2 0 FRRouting/10.4.1 Total number of neighbors 1
Attention
Verify DUT0 receives route 1.1.1.0/24 from DUT1.
Step 4: Run command protocols bgp show ip at DUT0 and check if output matches the following regular expressions:
1.1.1.0/24Show output
BGP table version is 2, local router ID is 10.10.0.100, vrf id 0 Default local pref 100, local AS 20 local address - Status codes: s suppressed, d damped, h history, u unsorted, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *ui 1.1.1.0/24 10.10.0.200 0 100 0 ? *ui 10.10.0.0/24 10.10.0.200 0 100 0 ? Displayed 2 routes and 2 total paths