This knowledge base has moved to the documentation site. Please visit the knowledge base here for the most up to date content. This site is no longer maintained.

Adding MD5-enabled BGP Neighbors

Follow

Issue

Some organizations use MD5 on BGP for security reasons or because existing partners require MD5. This article describes how you can enable it.

Environment

  • Cumulus Linux, 2.1 and above.
  • This article assumes that you are using Quagga for your routing platform. The setup consists of two switches, AS 65000 and 65001, connected by the link 192.0.2.100/30.

Resolution

You enable MD5 for your BGP neighbors in one of two ways:

  • Using Quagga's modal CLI, vtysh.
  • By hand editing the Quagga.conf configuration file in Cumulus Linux.

Before you enable MD5, switch1's configuration looks like this:

quagga# show ip bgp sum
BGP router identifier 192.0.2.2, local AS number 65001
RIB entries 0, using 0 bytes of memory
Peers 1, using 6652 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.0.2.102 4 65000 2 3 0 0 0 00:00:04 0
Total number of neighbors 1

And switch2's configuration looks like this:

quagga# sho ip bgp sum
BGP router identifier 192.0.2.5, local AS number 65000
RIB entries 0, using 0 bytes of memory
Peers 1, using 6652 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.0.2.101 4 65001 2 3 0 0 0 00:00:49 0
Total number of neighbors 1

Enabling MD5 Using vtysh

  1. SSH into switch1.
  2. Run vtysh. If you are running Cumulus Linux 2.0 or later, sudo vtysh.
  3. Run these Quagga commands:
    quagga# configure terminal
    quagga(config)# router bgp 65000
    quagga(config-router)# neighbor 192.0.2.101 password mypassword
    
  4. SSH into switch2, then run these Quagga commands:
    quagga# configure terminal
    quagga(config)# router bgp 65001
    quagga(config-router)# neighbor 192.0.2.102 password mypassword
    
  5. When both sides are configured properly, BGP should reestablish automatically; confirm using show ip bgp summary on each switch. Here is the output from switch2:
    quagga# show ip bgp summary  
    BGP router identifier 192.0.2.5, local AS number 65000
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.101     4 65001     257     284        0    0    0 00:08:11        0
    
    Total number of neighbors 1
    
  6. Run write memory on each switch if you want this configuration to persist after Quagga restarts.

Enabling MD5 by Hand Editing the Configuration

  1. SSH into switch1.
  2. Using a text editor (the article assumes you are using vi), edit Quagga.conf.
  3. Run vi /etc/quagga/Quagga.conf. If you are running Cumulus Linux 2.0, sudo vi /etc/quagga/Quagga.conf.
  4. Find switch1's BGP configuration under /bgp:
    router bgp 65000
    bgp router-id 192.0.2.2
    neighbor 192.0.2.101 remote-as 65001
  5. Enter insert mode, then add the following line:
    neighbor 192.0.2.101 password mypassword
  6. Save and exit (:wq!).
  7. Restart Quagga (service quagga restart).
    Warning: This will tear down any other layer 3 sessions and affect network traffic!
  8. Confirm this worked using cl-bgp summary:
    cumulus@switch:~$ sudo cl-bgp summary 
    BGP router identifier 192.0.2.2, local AS number 65001
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.102     4 65000     200     227        0    0    0 00:00:03        0
    
    Total number of neighbors 1
    
  9. SSH into switch2, then edit Quagga.conf there:
    vi /etc/quagga/Quagga.conf
    If you are running Cumulus Linux 2.0 or later:
    sudo vi /etc/quagga/Quagga.conf
  10. Find switch2's BGP configuration under /bgp:
    router bgp 65001
    bgp router-id 192.0.2.5
    neighbor 192.0.2.102 remote-as 65000
  11. Enter insert mode, then add the following line:
    neighbor 192.0.2.102 password mypassword
  12. Save and exit (:wq!).
  13. Restart Quagga (service quagga restart).
    Warning: This will tear down any other layer 3 sessions and affect network traffic!
  14. Confirm this worked using cl-bgp summary:
    BGP router identifier 192.0.2.5, local AS number 65000
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.101     4 65001     255     282        0    0    0 00:06:29        0
    
    Total number of neighbors 1
    

Comments

This support portal has moved

Cumulus Networks is now part of the NVIDIA Networking Business Unit! The NVIDIA Cumulus Global Support Services (GSS) team has merged its operations with the NVIDIA Mellanox support services team.

You can access NVIDIA Cumulus support content from the Mellanox support portal.

You open and update new cases on the Mellanox support portal. Any previous cases that have been closed have been migrated to the Mellanox support portal.

Cases that are still open on the Cumulus portal will continue to be managed on the Cumulus portal. Once these cases close, they will be moved to the Mellanox support portal.

Powered by Zendesk