Adding MD5-enabled BGP Neighbors

Follow

Issue

Some organizations use MD5 on BGP for security reasons or because existing partners require MD5. This article describes how you can enable it.

Environment

  • Cumulus Linux, 2.1 and above.
  • This article assumes that you are using Quagga for your routing platform. The setup consists of two switches, AS 65000 and 65001, connected by the link 192.0.2.100/30.

Resolution

You enable MD5 for your BGP neighbors in one of two ways:

  • Using Quagga's modal CLI, vtysh.
  • By hand editing the Quagga.conf configuration file in Cumulus Linux.

Before you enable MD5, switch1's configuration looks like this:

quagga# show ip bgp sum
BGP router identifier 192.0.2.2, local AS number 65001
RIB entries 0, using 0 bytes of memory
Peers 1, using 6652 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.0.2.102 4 65000 2 3 0 0 0 00:00:04 0
Total number of neighbors 1

And switch2's configuration looks like this:

quagga# sho ip bgp sum
BGP router identifier 192.0.2.5, local AS number 65000
RIB entries 0, using 0 bytes of memory
Peers 1, using 6652 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.0.2.101 4 65001 2 3 0 0 0 00:00:49 0
Total number of neighbors 1

Enabling MD5 Using vtysh

  1. SSH into switch1.
  2. Run vtysh. If you are running Cumulus Linux 2.0 or later, sudo vtysh.
  3. Run these Quagga commands:
    quagga# configure terminal
    quagga(config)# router bgp 65000
    quagga(config-router)# neighbor 192.0.2.101 password mypassword
    
  4. SSH into switch2, then run these Quagga commands:
    quagga# configure terminal
    quagga(config)# router bgp 65001
    quagga(config-router)# neighbor 192.0.2.102 password mypassword
    
  5. When both sides are configured properly, BGP should reestablish automatically; confirm using show ip bgp summary on each switch. Here is the output from switch2:
    quagga# show ip bgp summary  
    BGP router identifier 192.0.2.5, local AS number 65000
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.101     4 65001     257     284        0    0    0 00:08:11        0
    
    Total number of neighbors 1
    
  6. Run write memory on each switch if you want this configuration to persist after Quagga restarts.

Enabling MD5 by Hand Editing the Configuration

  1. SSH into switch1.
  2. Using a text editor (the article assumes you are using vi), edit Quagga.conf.
  3. Run vi /etc/quagga/Quagga.conf. If you are running Cumulus Linux 2.0, sudo vi /etc/quagga/Quagga.conf.
  4. Find switch1's BGP configuration under /bgp:
    router bgp 65000
    bgp router-id 192.0.2.2
    neighbor 192.0.2.101 remote-as 65001
  5. Enter insert mode, then add the following line:
    neighbor 192.0.2.101 password mypassword
  6. Save and exit (:wq!).
  7. Restart Quagga (service quagga restart).
    Warning: This will tear down any other layer 3 sessions and affect network traffic!
  8. Confirm this worked using cl-bgp summary:
    cumulus@switch:~$ sudo cl-bgp summary 
    BGP router identifier 192.0.2.2, local AS number 65001
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.102     4 65000     200     227        0    0    0 00:00:03        0
    
    Total number of neighbors 1
    
  9. SSH into switch2, then edit Quagga.conf there:
    vi /etc/quagga/Quagga.conf
    If you are running Cumulus Linux 2.0 or later:
    sudo vi /etc/quagga/Quagga.conf
  10. Find switch2's BGP configuration under /bgp:
    router bgp 65001
    bgp router-id 192.0.2.5
    neighbor 192.0.2.102 remote-as 65000
  11. Enter insert mode, then add the following line:
    neighbor 192.0.2.102 password mypassword
  12. Save and exit (:wq!).
  13. Restart Quagga (service quagga restart).
    Warning: This will tear down any other layer 3 sessions and affect network traffic!
  14. Confirm this worked using cl-bgp summary:
    BGP router identifier 192.0.2.5, local AS number 65000
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 6652 bytes of memory
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    192.0.2.101     4 65001     255     282        0    0    0 00:06:29        0
    
    Total number of neighbors 1
    
Have more questions? Submit a request

Comments

Powered by Zendesk