Router1(config)#router bgp 1 !–Autonomous system number
!– Flags a network as local to this autonomous system and enters it to the BGP table. Specify a network to announce via BGP
Router1(config)#network 150.1.1.1 mask 255.255.255.255
Router1(config)#network 150.1.1.1 mask 255.255.255.255
!– Specify a neighbor router
Router1(config)#neighbor 136.1.13.3 remote-as 3
Router1(config)#neighbor 136.1.13.3 remote-as 3
! — Set a password
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router1(config)#neighbor 136.1.13.3 password PASSWORD
Router3(config)#router bgp 3
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Router3(config)#network 150.1.3.3 mask 255.255.255.255
Router3(config)#neighbor 136.1.13.1 remote-as 1
Router3(config)#neighbor 136.1.23.2 remote-as 2
Router3(config)#neighbor 136.1.13.1 password PASSWORD
Router3(config)#neighbor 136.1.23.2 password PASSWORDRouter1(config)#router ?
bgp Border Gateway Protocol (BGP)
eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
isis ISO IS-IS
iso-igrp IGRP for OSI networks
mobile Mobile routes
odr On Demand stub Routes
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)*Oct 18 15:24:04.306: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(179) to 136.1.13.1(19226)
*Oct 18 15:24:07.466: %TCP-6-BADAUTH: No MD5 digest from 136.1.13.3(16117) to 136.1.13.1(179)
*Oct 18 15:24:24.302: %BGP-5-ADJCHANGE: neighbor 136.1.13.3 UpRouter1#sh ip bgp summary
BGP router identifier 150.1.1.1, local AS number 1
BGP table version is 4, main routing table version 4
3 network entries using 360 bytes of memory
3 path entries using 156 bytes of memory
3/3 BGP path/bestpath attribute entries using 372 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 936 total bytes of memory
BGP activity 3/0 prefixes, 3/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.3 4 3 7 5 4 0 0 00:00:50 2
!– To check BGP table
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork Next Hop Metric LocPrf Weight Path
*> 150.1.1.1/32 0.0.0.0 0 32768 i
*> 150.1.2.2/32 136.1.13.3 0 3 2 i
*> 150.1.3.3/32 136.1.13.3 0 0 3 i
Router1#
Router1#sh ip bgp
BGP table version is 4, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incompleteNetwork Next Hop Metric LocPrf Weight Path
*> 150.1.1.1/32 0.0.0.0 0 32768 i
*> 150.1.2.2/32 136.1.13.3 0 3 2 i
*> 150.1.3.3/32 136.1.13.3 0 0 3 i
Router1#
!– Wrong password entered:
Router1(config)#router bgp 1
Router1(config-router)#neighbor 136.1.13.3 password ee !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router1(config-router)#neighbor 136.1.13.3 password ee !– wrong pass results
*Oct 18 15:27:45.802: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:46.974: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) to 136.1.13.1(41138)
*Oct 18 15:27:49.318: %TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.3(179) toRouter3#sh ip bgp
%BGP-5-ADJCHANGE: neighbor 136.1.13.1 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 5 5 2 0 0 00:00:02 1
136.1.23.2 4 2 0 0 1 0 0 never Active
BGP router identifier 150.1.3.3, local AS number 3
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
2/2 BGP path/bestpath attribute entries using 248 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 616 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secsNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 5 5 2 0 0 00:00:02 1
136.1.23.2 4 2 0 0 1 0 0 never Active
%BGP-5-ADJCHANGE: neighbor 136.1.23.2 Up
Router3#sh ip bgp summary
BGP router identifier 150.1.3.3, local AS number 3
…..
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
136.1.13.1 4 1 7 9 4 0 0 00:02:29 1
136.1.23.2 4 2 7 8 4 0 0 00:02:17 1
!– Verify authentication on per neighbour basis:
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2, remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.23.2
BGP neighbor is 136.1.23.2, remote AS 2, external link
BGP version 4, remote router ID 150.1.2.2
BGP state = Established, up for 00:02:26
……
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 12 (out of order: 0), with data: 6, total data bytes: 212
Sent: 10 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 6, total data bytes: 297
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
Router3#sh ip bgp neighbors 136.1.13.1
BGP neighbor is 136.1.13.1, remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
BGP neighbor is 136.1.13.1, remote AS 1, external link
BGP version 4, remote router ID 150.1.1.1
BGP state = Established, up for 00:02:50
Last read 00:00:01, last write 00:00:28, hold time is 180, keepalive interval is 60 seconds
Neighbor sessions:
1 active, is multisession capable
…….
Option Flags: nagle, path mtu capable, md5, 0x1000000
IP Precedence value : 6Datagrams (max data segment is 1460 bytes):
Rcvd: 13 (out of order: 0), with data: 7, total data bytes: 231
Sent: 12 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 7, total data bytes: 316
Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
!– Failure in authentication
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
%TCP-6-BADAUTH: Invalid MD5 digest from 136.1.13.1(41138) to 136.1.13.3(179)
!– error message if authentication is not enabled on routers
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
%TCP-6-BADAUTH: No MD5 digest from 136.1.13.1(179) to 136.1.13.3(49376)
##### Theory #####
BGP uses TCP for transport and specifically for authentication TCP option 19 which is MD5 signature option.
##############################################################################################################
CCIE Security Blog 