IP : 边界网关协议(BGP)

在 BGP 对等体之间进行 MD5 认证的配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈


目录


简介

本文档描述如何在两个 BGP 对等体之间的 TCP 连接上配置 Message Digest5 (MD5) 身份验证。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档不限于特定的软件和硬件版本。

在本文显示的命令输出从运行IOS 版本12.4(15)T14的3660系列路由器被采取了。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

您可以在两个 BGP 对等体之间配置 MD5 身份验证,这意味着在这些对等体之间的 TCP 连接上发送的每个分段都将经过验证。在两个 BGP 对等体上必须使用同一个口令配置 MD5 身份验证;否则,不会在它们之间建立连接。配置 MD5 身份验证将导致 Cisco IOS 软件生成和检查在 TCP 连接上发送的每个分段的 MD5 摘要。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/112188/configure-md5-bgp-01.gif

配置

本文档使用以下配置:

路由器 0 配置
R0#!
interface Loopback70
 ip address 70.70.70.70 255.255.255.255
!
interface Serial1/0
 ip address 10.10.10.1 255.255.255.0
 serial restart-delay 0
!
router bgp 400
 no synchronization
 bgp log-neighbor-changes
 neighbor 80.80.80.80 remote-as 400 

!--- iBGP Configuration using Loopback Address

 neighbor 80.80.80.80 password cisco   

!--- Invoke MD5 authentication on a TCP connection to a BGP peer

 neighbor 80.80.80.80 update-source Loopback70
 no auto-summary
!
ip route 80.80.80.80 255.255.255.255 10.10.10.2 

!--- This static route ensures that the remote peer address used for peering
!--- is reachable.

 .
 .
  

路由器 1 配置
R1#
!
interface Loopback80
 ip address 80.80.80.80 255.255.255.255
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.0
 serial restart-delay 0
!
router bgp 400
 no synchronization
 bgp log-neighbor-changes
 neighbor 70.70.70.70 remote-as 400

!--- iBGP Configuration using Loopback Address
  
 neighbor 70.70.70.70 password cisco 

!--- Invoke MD5 authentication on a TCP connection to a BGP peer

 neighbor 70.70.70.70 update-source Loopback80
 no auto-summary
!
ip route 70.70.70.70 255.255.255.255 10.10.10.1 

!--- This static route ensures that the remote peer address used for peering
!--- is reachable.

 .
 .
 .
 

了解调试

R0#
clear ip bgp *

R0#
*Mar  1 01:02:17.523: %BGP-5-ADJCHANGE: neighbor 80.80.80.80 Down User reset
R0#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast
*Mar  1 01:03:58.159: BGP: 80.80.80.80 open failed: Connection timed out; 
    remote host not responding, open active delayed 1782ms (2000ms max, 28% 
    jitter)
*Mar  1 01:03:58.415: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 01:03:59.943: BGP: 80.80.80.80 open active, local address 70.70.70.70
*Mar  1 01:04:00.039: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:00.807: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(33358) 
    to 70.70.70.70(179)
*Mar  1 01:04:01.991: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:01.995: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:05.995: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:06.015: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70. 70.70.70(64444)
*Mar  1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 80.80.80.80(179) to
    70.70.70.70(64444)
*Mar  1 01:04:29.947: BGP: 80.80.80.80 open failed: Connection timed out; 
    remote host not responding, open active delayed 3932ms (4000ms max, 28% 
    jitter)
*Mar  1 01:04:33.879: BGP: 80.80.80.80 open active, local address 70.70.70.70
*Mar  1 01:04:33.983: BGP: 80.80.80.80 went from Active to OpenSent
*Mar  1 01:04:33.983: BGP: 80.80.80.80 sending OPEN, version 4, my as: 400, 
    hold time 180 seconds
*Mar  1 01:04:33.987: BGP: 80.80.80.80 send message type 1, length (incl.
    header ) 45
*Mar  1 01:04:34.091: BGP: 80.80.80.80 rcv message type 1, length (excl. 
    header) 26
*Mar  1 01:04:34.091: BGP: 80.80.80.80 rcv OPEN, version 4, holdtime 180 seconds
*Mar  1 01:04:34.091: BGP: 80.80.80.80 rcv OPEN w/ OPTION parameter len: 16
*Mar  1 01:04:34.095: BGP: 80.80.80.80 rcvd OPEN w/ optional parameter type 2 
    (Capability) len 6
*Mar  1 01:04:34.095: BGP: 80.80.80.80 OPEN has CAPABILITY code: 1, length 4
*Mar  1 01:04:34.095: BGP: 80.80.80.80 OPEN has MP_EXT CAP for afi/safi: 1/1
*Mar  1 01:04:34.095: BGP: 80.80.80.80 rcvd OPEN w/ optional parameter type 2 
    (Capability) len 2
*Mar  1 01:04:34.095: BGP: 80.80.80.80 OPEN has CAPABILITY code: 128, length 0
*Mar  1 01:04:34.099: BGP: 80.80.80.80 OPEN has ROUTE-REFRESH capability(old) 
    for all address-families
*Mar  1 01:04:34.099: BGP: 80.80.80.80 rcvd OPEN w/ optional parameter type 2 
    (Capability) len 2
*Mar  1 01:04:34.099: BGP: 80.80.80.80 OPEN has CAPABILITY code: 2, length 0
*Mar  1 01:04:34.099: BGP: 80.80.80.80 OPEN has ROUTE-REFRESH capability(new) 
    for all address-families
BGP: 80.80.80.80 rcvd OPEN w/ remote AS 400
*Mar  1 01:04:34.103: BGP: 80.80.80.80 went from OpenSent to OpenConfirm
*Mar  1 01:04:34.103: BGP: 80.80.80.80 went from OpenConfirm to Established
*Mar  1 01:04:34.103: %BGP-5-ADJCHANGE: neighbor 80.80.80.80 Up

如果一台路由器为邻居配置了密码,但是该邻居却没有为其配置密码,这种情况下,当这两台路由器尝试在它们之间建立 BGP 会话时,系统将显示如下消息:

%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local 
    router's IP address]:179

同样地,如果这两个路由器配置了不同的密码,系统将显示如下消息:

%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local 
    router's IP address]:179

验证

使用本部分可确认配置能否正常运行。

  • R0#show ip bgp neighbors|包含 BGP

    BGP neighbor is 80.80.80.80, remote AS 400, internal link
      BGP version 4, remote router ID 80.80.80.80
      BGP state = Established, up for 00:08:26
      BGP table version 1, neighbor version 1/0
    
  • R0#show ip bgp summary

    BGP router identifier 70.70.70.70, local AS number 400
    BGP table version is 1, main routing table version 1
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    80.80.80.80     4   400      75      75        1    0    0 00:08:52        0
    
  • R1#show ip bgp summary

    BGP router identifier 80.80.80.80, local AS number 400
    BGP table version is 1, main routing table version 1
    
    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    70.70.70.70     4   400      76      76        1    0    0 00:09:27        0
    

故障排除

目前没有针对此配置的故障排除信息。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 112188