簡介
本檔案介紹如何在兩個BGP對等點之間的TCP連線上設定訊息摘要5(MD5)驗證。
必要條件
需求
本文件沒有特定需求。
採用元件
本文件所述內容不限於特定軟體和硬體版本。
本檔案中的資訊是根據執行Cisco IOS®版本12.4(15)T14的3600系列路由器的命令輸出而來。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
慣例
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
背景資訊
您可以在兩個BGP對等點之間配置MD5身份驗證,這意味著對等點之間的TCP連線上傳送的每個分段都經過驗證。MD5身份驗證必須在兩個BGP對等體上使用相同的密碼進行配置;否則,無法建立它們之間的連線。配置MD5身份驗證時,會使Cisco IOS軟體生成並檢查TCP連線上傳送的每個資料段的MD5摘要。
設定
本節提供用於設定本檔案中所述功能的資訊。
注意:使用Cisco CLI Analyzer獲取本節所用命令的詳細資訊。只有註冊思科使用者才能訪問思科內部工具和資訊。
網路圖表
此文件使用以下網路設定:
組態
本檔案會使用以下設定:
路由器0配置 |
R0# !
interface Loopback70
ip address 10.70.70.70 255.255.255.255
!
interface Serial1/0
ip address 10.10.10.1 255.255.255.0
serial restart-delay 0
!
router bgp 400
no synchronization
bgp log-neighbor-changes
neighbor 10.80.80.80 remote-as 400
!--- iBGP Configuration using Loopback Address
neighbor 10.80.80.80 password cisco
!--- Invoke MD5 authentication on a TCP connection to a BGP peer
neighbor 10.80.80.80 update-source Loopback70
no auto-summary
!
ip route 10.80.80.80 255.255.255.255 10.10.10.2
!--- This static route ensures that the remote peer address used for peering is reachable.
|
路由器1配置 |
R1#
!
interface Loopback80
ip address 10.80.80.80 255.255.255.255
!
interface Serial1/0
ip address 10.10.10.2 255.255.255.0
serial restart-delay 0
!
router bgp 400
no synchronization
bgp log-neighbor-changes
neighbor 10.70.70.70 remote-as 400
!--- iBGP Configuration using Loopback Address
neighbor 10.70.70.70 password cisco
!--- Invoke MD5 authentication on a TCP connection to a BGP peer
neighbor 10.70.70.70 update-source Loopback80
no auto-summary
!
ip route 10.70.70.70 255.255.255.255 10.10.10.1
!--- This static route ensures that the remote peer address used for peering is reachable.
|
了解調試
R0#clear ip bgp *
*Mar 1 01:02:17.523: %BGP-5-ADJCHANGE: neighbor 10.80.80.80 Down User reset
R0#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast
*Mar 1 01:03:58.159: BGP: 10.80.80.80 open failed: Connection timed out;
remote host not responding, open active delayed 1782ms (2000ms max, 28%
jitter)
*Mar 1 01:03:58.415: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 01:03:59.943: BGP: 10.80.80.80 open active, local address 10.70.70.70
*Mar 1 01:04:00.039: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:00.807: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(33358)
to 10.70.70.70(179)
*Mar 1 01:04:01.991: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:01.995: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:05.995: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:06.015: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
70. 70.70.70(64444)
*Mar 1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:29.947: BGP: 10.80.80.80 open failed: Connection timed out;
remote host not responding, open active delayed 3932ms (4000ms max, 28%
jitter)
*Mar 1 01:04:33.879: BGP: 10.80.80.80 open active, local address 10.70.70.70
*Mar 1 01:04:33.983: BGP: 10.80.80.80 went from Active to OpenSent
*Mar 1 01:04:33.983: BGP: 10.80.80.80 sending OPEN, version 4, my as: 400,
hold time 180 seconds
*Mar 1 01:04:33.987: BGP: 10.80.80.80 send message type 1, length (incl.
header ) 45
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv message type 1, length (excl.
header) 26
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv OPEN, version 4, holdtime 180 seconds
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv OPEN w/ OPTION parameter len: 16
*Mar 1 01:04:34.095: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has CAPABILITY code: 1, length 4
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has MP_EXT CAP for afi/safi: 1/1
*Mar 1 01:04:34.095: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has CAPABILITY code: 128, length 0
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has ROUTE-REFRESH capability(old)
for all address-families
*Mar 1 01:04:34.099: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has CAPABILITY code: 2, length 0
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has ROUTE-REFRESH capability(new)
for all address-families
BGP: 10.80.80.80 rcvd OPEN w/ remote AS 400
*Mar 1 01:04:34.103: BGP: 10.80.80.80 went from OpenSent to OpenConfirm
*Mar 1 01:04:34.103: BGP: 10.80.80.80 went from OpenConfirm to Established
*Mar 1 01:04:34.103: %BGP-5-ADJCHANGE: neighbor 10.80.80.80 Up
如果路由器為鄰居配置了口令,但鄰居路由器沒有配置口令,則當路由器嘗試在它們之間建立BGP會話時,會顯示類似以下消息:
%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local
router's IP address]:179
同樣,如果兩台路由器配置了不同的密碼,則會顯示類似以下的消息:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local
router's IP address]:179
驗證
使用本節內容,確認您的組態是否正常運作。
疑難排解
目前沒有適用於此組態的疑難排解資訊。
相關資訊