在BGP對等體之間配置MD5身份驗證
簡介
本檔案介紹如何在兩個BGP對等點之間的TCP連線上設定訊息摘要5(MD5)驗證。
必要條件
需求
本文件沒有特定需求。
採用元件
本文件所述內容不限於特定軟體和硬體版本。
本檔案中的資訊是根據執行Cisco IOS®版本12.4(15)T14的3600系列路由器的命令輸出而來。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
慣例
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
背景資訊
您可以在兩個BGP對等點之間配置MD5身份驗證,這意味著對等點之間的TCP連線上傳送的每個分段都經過驗證。MD5身份驗證必須在兩個BGP對等體上使用相同的密碼進行配置;否則,無法建立它們之間的連線。配置MD5身份驗證時,會使Cisco IOS軟體生成並檢查TCP連線上傳送的每個資料段的MD5摘要。
設定
本節提供用於設定本檔案中所述功能的資訊。
網路圖表
此文件使用以下網路設定:
組態
本檔案會使用以下設定:
| 路由器0配置 |
|---|
R0# |
| 路由器1配置 |
|---|
R1# ! interface Loopback80 ip address 10.80.80.80 255.255.255.255 ! interface Serial1/0 ip address 10.10.10.2 255.255.255.0 serial restart-delay 0 ! router bgp 400 no synchronization bgp log-neighbor-changes neighbor 10.70.70.70 remote-as 400 !--- iBGP Configuration using Loopback Address neighbor 10.70.70.70 password cisco !--- Invoke MD5 authentication on a TCP connection to a BGP peer neighbor 10.70.70.70 update-source Loopback80 no auto-summary ! ip route 10.70.70.70 255.255.255.255 10.10.10.1 !--- This static route ensures that the remote peer address used for peering is reachable. |
了解調試
R0#clear ip bgp **Mar 1 01:02:17.523: %BGP-5-ADJCHANGE: neighbor 10.80.80.80 Down User reset
R0#debug ip bgp
BGP debugging is on for address family: IPv4 Unicast
*Mar 1 01:03:58.159: BGP: 10.80.80.80 open failed: Connection timed out;
remote host not responding, open active delayed 1782ms (2000ms max, 28%
jitter)
*Mar 1 01:03:58.415: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 01:03:59.943: BGP: 10.80.80.80 open active, local address 10.70.70.70
*Mar 1 01:04:00.039: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:00.807: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(33358)
to 10.70.70.70(179)
*Mar 1 01:04:01.991: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:01.995: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:05.995: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:06.015: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
70. 70.70.70(64444)
*Mar 1 01:04:14.023: %TCP-6-BADAUTH: No MD5 digest from 10.80.80.80(179) to
10.70.70.70(64444)
*Mar 1 01:04:29.947: BGP: 10.80.80.80 open failed: Connection timed out;
remote host not responding, open active delayed 3932ms (4000ms max, 28%
jitter)
*Mar 1 01:04:33.879: BGP: 10.80.80.80 open active, local address 10.70.70.70
*Mar 1 01:04:33.983: BGP: 10.80.80.80 went from Active to OpenSent
*Mar 1 01:04:33.983: BGP: 10.80.80.80 sending OPEN, version 4, my as: 400,
hold time 180 seconds
*Mar 1 01:04:33.987: BGP: 10.80.80.80 send message type 1, length (incl.
header ) 45
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv message type 1, length (excl.
header) 26
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv OPEN, version 4, holdtime 180 seconds
*Mar 1 01:04:34.091: BGP: 10.80.80.80 rcv OPEN w/ OPTION parameter len: 16
*Mar 1 01:04:34.095: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 6
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has CAPABILITY code: 1, length 4
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has MP_EXT CAP for afi/safi: 1/1
*Mar 1 01:04:34.095: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Mar 1 01:04:34.095: BGP: 10.80.80.80 OPEN has CAPABILITY code: 128, length 0
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has ROUTE-REFRESH capability(old)
for all address-families
*Mar 1 01:04:34.099: BGP: 10.80.80.80 rcvd OPEN w/ optional parameter type 2
(Capability) len 2
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has CAPABILITY code: 2, length 0
*Mar 1 01:04:34.099: BGP: 10.80.80.80 OPEN has ROUTE-REFRESH capability(new)
for all address-families
BGP: 10.80.80.80 rcvd OPEN w/ remote AS 400
*Mar 1 01:04:34.103: BGP: 10.80.80.80 went from OpenSent to OpenConfirm
*Mar 1 01:04:34.103: BGP: 10.80.80.80 went from OpenConfirm to Established
*Mar 1 01:04:34.103: %BGP-5-ADJCHANGE: neighbor 10.80.80.80 Up
如果路由器為鄰居配置了口令,但鄰居路由器沒有配置口令,則當路由器嘗試在它們之間建立BGP會話時,會顯示類似以下消息:
%TCP-6-BADAUTH: No MD5 digest from [peer's IP address]:11003 to [local
router's IP address]:179
同樣,如果兩台路由器配置了不同的密碼,則會顯示類似以下的消息:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer's IP address]:11004 to [local
router's IP address]:179
驗證
使用本節內容,確認您的組態是否正常運作。
-
show ip bgp neighbors | 包括BGP
R0#show ip bgp neighbors| include BGP BGP neighbor is 10.80.80.80, remote AS 400, internal link BGP version 4, remote router ID 10.80.80.80 BGP state = Established, up for 00:08:26 BGP table version 1, neighbor version 1/0 -
show ip bgp summary
R0#show ip bgp summary BGP router identifier 10.70.70.70, local AS number 400 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.80.80.80 4 400 75 75 1 0 0 00:08:52 0 -
show ip bgp summary
R1#show ip bgp summary BGP router identifier 10.80.80.80, local AS number 400 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.70.70.70 4 400 76 76 1 0 0 00:09:27 0
疑難排解
目前沒有適用於此組態的疑難排解資訊。
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
2.0 |
12-Jan-2024 |
重新認證。 |
1.0 |
19-Oct-2010 |
初始版本 |
意見