This section describes how you can configure BGP Session Authentication and Integrity
using TCP Authentication Option (TCP AO) feature :
-
Configure Keychain

Note
|
Configure send-life and accept-lifetime keywords with identical values in the
keychain configuration, otherwise the values become invalid.
|
-
Configure TCP

Note
|
The Send ID and Receive ID you configured on the device must match the
Receive ID and Send ID configured on the peer respectively.
|
-
Configure BGP
Configuration Example
Configure a keychain.
Router# configure
Router#(config)# key chain tcpao1
Router#(config-tcpao1)# key 1
Router#(config-tcpao1-1)# cryptographic-algorithm HMAC-SHA-1-96
Router#(config-tcpao1-1)# key-string keys1
Router#(config-tcpao1-1)# send-lifetime 16:00:00 march 3 2018 infinite
Router#(config-tcpao1-1)# accept-lifetime 16:00:00 march 3 2018 infinite
Configure TCP
Router# tcp ao
Router(config-tcp-ao)# keychain tcpao1
Router(config-tcp-ao-tpcao1)# key 1 sendID 5 receiveID 5
Configure BGP
Router#(config-bgp)# router bgp 1
Router(config-bgp)# bgp router-id 10.101.101.1
Router(config-bgp)# address-family ipv4 unicast
Router(config-bgp-af)# exit
Router(config-bgp)# neighbor 10.51.51.1
Router(config-bgp-nbr)# remote-as 1
Router(config-bgp-nbr)# ao tcpao1 include-tcp-options disable accept-ao-mismatch-connection
Verification
Verify the keychain information configured for BGP Session Authentication and Integrity
using TCP Authentication Option feature.
show key chain tcpao1
Mon Sep 2 08:32:14.383 UTC
Key-chain: tcpao1 -
timezone -- local
Key 1 -- text "025756085F535976141759485744465E5A"
Cryptographic-Algorithm -- AES_128_CMAC_96
Send lifetime -- 16:00:00, 03 Mar 2018 - Always valid [Valid now]
Accept lifetime -- 16:00:00, 03 Mar 2018 - Always valid [Valid now]
The following output displays the state of the BGP neighbors.
Router# show bgp ipv4 unicast summary
Mon Sep 2 08:33:27.759 UTC
BGP router identifier 10.101.101.1, local AS number 1
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0xe0000000 RD version: 4
BGP table nexthop route policy:
BGP main routing table version 4
BGP NSR Initial initsync version 3 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
BGP is operating in STANDALONE mode.
Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 4 4 4 4 4 0
Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
10.51.51.1 0 1 13 13 4 0 0 00:09:11 1
Wed Mar 21 12:55:57.812 UTC
10.51.51.1 default 1 1 0 0 Established None
The following output displays the state of a particular BGP neighbor.
Router# show bgp neighbor 10.51.51.1 detail
BGP neighbor is 10.51.51.1
Remote AS 1, local AS 1, internal link
Remote router ID 10.51.51.1
BGP state = Established, up for 00:11:19
Previous State: Active
Last Received Message: KeepAlive
NSR State: None
Last read 00:00:14, Last read before reset 00:00:00
Hold time is 180, keepalive interval is 60 seconds
Configured hold time: 180, keepalive: 60, min acceptable hold time: 3
Last write 00:00:14, attempted 19, written 19
Second last write 00:01:14, attempted 19, written 19
Last write before reset 00:00:00, attempted 0, written 0
Second last write before reset 00:00:00, attempted 0, written 0
Last write pulse rcvd Sep 2 08:35:21.713 last full not set pulse count 28
Last write pulse rcvd before reset 00:00:00
Socket not armed for io, armed for read, armed for write
Last write thread event before reset 00:00:00, second last 00:00:00
Last KA expiry before reset 00:00:00, second last 00:00:00
Last KA error before reset 00:00:00, KA not sent 00:00:00
Last KA start before reset 00:00:00, second last 00:00:00
Precedence: internet
Non-stop routing is enabled
Multi-protocol capability received
Neighbor capabilities:
Route refresh: advertised (old + new) and received (old + new)
4-byte AS: advertised and received
Address family IPv4 Unicast: advertised and received
Received 15 messages, 0 notifications, 0 in queue
Sent 15 messages, 0 notifications, 0 in queue
Minimum time between advertisement runs is 0 secs
Inbound message logging enabled, 3 messages buffered
Outbound message logging enabled, 3 messages buffered
The following output displays brief information of the protocol control block (PCB) of
the neighbor.
Router# show tcp brief | i 10.51.51.1
Mon Sep 2 08:29:19.442 UTC
0x00007f9dc0009bb0 0x60000000 0 0 10.101.101.1:179 10.51.51.1:42377 ESTAB
The following output displays authentication details of the PCB:
Router# show tcp detail pcb 0x143df858 location 0/rsp0/CPU0 | begin Authen
Wed Mar 21 12:56:46.129 UTC
Authentication peer details:
Peer: 10.51.51.1/32, OBJ_ID: 0x40002fd8
Port: BGP, vrf_id: 0x60000000, type: AO, debug_on:0
Keychain_name: tcpao1, options: 0x00000000, linked peer: 0x143e00 Keychain name
Send_SNE: 0, Receive_SNE: 0, Send_SNE_flag: 0
Recv_SNE_flag: 0, Prev_send_seq: 4120835405, Prev_receive_seq: 2461932863
ISS: 4120797604, IRS: 2461857361
Current key: 2
Traffic keys: send_non_SYN: 006a2975, recv_non_SYN: 00000000
RNext key: 2
Traffic keys: send_non_SYN: 00000000, recv_non_SYN: 00000000
Last 1 keys used:
key: 2, time: Mar 20 03:52:35.969.151, reason: No current key set