Cisco Systems 78-11741-02 Wireless Office Headset User Manual


 
Configuring BGP
Configuring Advanced BGP Features
IPC-323
Cisco IOS IP Configuration Guide
Configuring MD5 Authentication for BGP Peering Sessions
You can configure MD5 authentication between two BGP peers, meaning that each segment sent on the
TCP connection between the peers is verified. MD5 authentication must be configured with the same
password on both BGP peers; otherwise, the connection between them will not be made. Configuring
MD5 authentication causes the Cisco IOS software to generate and check the MD5 digest of every
segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, then
an error message will be displayed in the console.
When configuring MD5 authentication, you can enter a case-sensitive password of up to 25 characters.
The string can contain any alphanumeric characters, including spaces. A password cannot be configured
in the number-space-anything format. The space after the number can cause authentication to fail. You
can also use any combination of the following symbolic characters along with alphanumeric characters:
` ~ ! @ # $ % ^ & * ( ) - _ = + | \ } ] { [ “ ‘ : ; / > < . , ?
Caution If the authentication string is configured incorrectly, the BGP peering session will not be established.
We recommend that you enter the authentication string carefully and verify that the peering session
is established after authentication is configured.
Old Behavior
In previous versions of Cisco IOS software, configuring MD5 authentication for a BGP peering session
was generally considered to be difficult because the initial configuration and any subsequent MD5
configuration changes required the BGP neighbor to be reset.
New Behavior
This behavior has been changed in current versions of Cisco IOS software. CSCdx23494 introduced a
change to MD5 authentication for BGP peering sessions. The BGP peering session does not need to be
reset to maintain or establish the peering session for initial configuration or after the MD5 configuration
has been changed. However, the configuration must be completed on both the local and remote BGP peer
before the BGP hold timer expires. If the hold down timer expires before the MD5 configuration has been
completed on both BGP peers, the BGP session will time out.
When the password has been configured, the MD5 key is applied to the TCP session immediately. If one
peer is configured before the other, the TCP segments will be discarded on both the local and remote
peers due to an authentication failure. The peer that is configured with the password will print an error
message in the console similar to the following:
00:03:07: %TCP-6-BADAUTH: No MD5 digest from 10.0.0.2(179) to 10.0.0.1(11000)
The time period in which the password must changed is typically the life time of a stale BGP session.
When the password or MD5 key is configured, incoming tcp segments will only be accepted if the key
is known. If the key is unknown on both the remote and local peer, the TCP segments will be dropped,
and the BGP session will time out when the holddown timer expires.
If the BGP session has been preconfigured with a hold time of 0 seconds, no keepalive messages will be
sent. The BGP session will stay up until one of the peers, on either side, tries to transmit a message (For
example, a prefix update).
Note Configuring a new timer value for the holddown timer will only take effect after the session has been
reset. So, it is not possible to change the configuration of the holddown timer to avoid resetting the BGP
session.