IBGP Authentication

JUNOS software supports authentication of BGP messages based on either IPSec or an MD5 checksum. IPSec-related configuration is beyond the scope of this book, leaving MD5 as your only option at present. MD5-based authentication can be applied globally, at the group level, or for individual neighbors. To complete this configuration example, you must add IBGP authentication according to the following requirements:

  • r2, r3, and r4 authenticate to each other using key jni.

  • All other routers authenticate using key jnx.

Configure Authentication

The following commands correctly configure IBGP authentication on r3. Note that a combination of group and neighbor commands has been used to minimize typing:

[edit protocols bgp group internal] lab@r3# set authentication-key jnx [edit protocols bgp group internal] lab@r3# set neighbor 10.0.3.4 authentication-key jni [edit protocols bgp group internal] lab@r3# set neighbor 10.0.3.5 authentication-key jni 

The resulting BGP stanza on r3 is shown, and committed:

[edit protocols bgp group internal] lab@r3# show type internal; traceoptions {     file r3-bgp;     flag state detail; } local-address 10.0.3.3; authentication-key "$9$-zbYof5F39p"; # SECRET-DATA export ibgp; neighbor 10.0.6.1; neighbor 10.0.6.2; neighbor 10.0.3.4 {     authentication-key "$9$-5bYof5Fn/t"; # SECRET-DATA } neighbor 10.0.3.5 {     authentication-key "$9$yLxeMXaJDikP"; # SECRET-DATA } neighbor 10.0.9.6; neighbor 10.0.9.7; [edit protocols bgp group internal] lab@r3# commit commit complete 

The result of this configuration is that all neighbors lacking an authentication setting will now inherit the group’s authentication values such that all routers will use key jnx except r3, r4, and r5, which will use key jni. Because r3 is the only router currently set to authenticate IBGP messages, we expect to see that it has lost its BGP sessions:

[edit protocols bgp group internal] lab@r3# run show bgp summary Groups: 1 Peers: 6 Down peers: 6 Table          Tot Paths  Act Paths Suppressed    History Damp State     Pending inet.0                 0          0          0          0          0           0 Peer               AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn  State|#Active/Received/Damped... 10.0.3.4        65412          0          0       0       0         3:08 Connect 10.0.3.5        65412          0          0       0       0         3:08 Connect 10.0.6.1        65412          0          0       0       0         3:08 Connect 10.0.6.2        65412          0          0       0       0         3:08 Connect 10.0.9.6        65412          0          0       0       0         3:08 Connect 10.0.9.7        65412          0          0       0       0         3:08 Connect 

You must now add compatible authentication values in the remaining routers so that all BGP sessions can once again be established. As a guide, the authentication-related BGP configuration of r1 is shown next:

[edit protocols bgp group internal] lab@r1# set authentication-key jnx 

The resulting BGP stanza for r1 is displayed:

[edit protocols bgp group internal] lab@r1# show type internal; traceoptions {     file r1-bgp;     flag state detail; } local-address 10.0.6.1; authentication-key "$9$oGZDk9Cu0Ic"; # SECRET-DATA export ibgp; neighbor 10.0.6.2; neighbor 10.0.3.3; neighbor 10.0.3.4; neighbor 10.0.3.5; neighbor 10.0.9.6; neighbor 10.0.9.7;

With r1 set to correctly authenticate, we expect to see it successfully establish an IBGP session to r3:

[edit protocols bgp group internal] lab@r1# run show bgp neighbor 10.0.3.3 Peer: 10.0.3.3+1130 AS 65412 Local: 10.0.6.1+179 AS 65412   Type: Internal State: Established Flags: <>   Last State: OpenConfirm Last Event: RecvKeepAlive   Last Error: None   Export: [ ibgp ]   Options: <Preference LocalAddress HoldTime AuthKey LogUpDown Refresh>   Authentication key is configured   Local Address: 10.0.6.1 Holdtime: 90 Preference: 170   Number of flaps: 0   Peer ID: 10.0.3.3 Local ID: 10.0.6.1 Active Holdtime: 90   Keepalive Interval: 30   NLRI advertised by peer: inet-unicast   NLRI for this session: inet-unicast   Peer supports Refresh capability (2)   Table inet.0 Bit: 10000     Send state: in sync     Active prefixes: 1     Received prefixes: 1     Suppressed due to damping: 0  Last traffic (seconds): Received 17   Sent 17 Checked 17  Input messages:  Total 6     Updates 1      Refreshes 0    Octets 176  Output messages: Total 7     Updates 1      Refreshes 0    Octets 195  Output Queue[0]: 0 

This display confirms that the r1-r3 IBGP session has been established and that authentication is in effect, as highlighted in the capture.

Verify IBGP Authentication

To verify that authentication is working, you need only confirm that your sessions are in the established state. Authentication problems manifest themselves as connections stuck in the connect or active states. It is easy to tell when authentication is in use, and you should always try reassigning the MD5 key if you suspect authentication mismatches. Problems often occur when authentication is applied globally, or at the group level, as you may wind up inadvertently configuring authentication for peers that are not using authentication. Displaying the BGP neighbor status, even for sessions that are "broken," will confirm whether or not authentication is configured for that peer, based on whether the keyword Authkey is present in the list of options for that session.

With your IBGP authentication correctly configured on all seven routers, you expect to see that all BGP sessions have once again been correctly established:

[edit protocols bgp group internal] lab@r3# run show bgp summary Groups: 1 Peers: 6 Down peers: 0 Table          Tot Paths  Act Paths Suppressed    History Damp State     Pending inet.0                 6          6          0          0          0           0 Peer               AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn  State|#Active/Received/Damped... 10.0.3.4        65412          5          6       0       0        1:40 1/1/0 0/0/0 10.0.3.5        65412          3          5       0       0        1:20 1/1/0 0/0/0 10.0.6.1        65412         44         46       0       0       21:18 1/1/0 0/0/0 10.0.6.2        65412          7          8       0       0        2:37 1/1/0 0/0/0 10.0.9.6        65412          6          7       0       0        2:19 1/1/0 0/0/0 10.0.9.7        65412          2          3       0       0          23 1/1/0 0/0/0




JNCIP. Juniper Networks Certified Internet Professional Study Guide Exam CERT-JNCIP-M
JNCIP: Juniper Networks Certified Internet Professional Study Guide
ISBN: 0782140734
EAN: 2147483647
Year: 2003
Pages: 132

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net