BGP Authentication
BGP supports MD5 authentication between neighbors, using a shared password.
It is configured under BGP router configuration mode with the
command neighbor {ip-address | peer-group-name} password password.
When authentication is configured, BGP authenticates every TCP segment
from its peer and checks the source of each routing update. Most ISPs
require authentication for their EBGP peers.
Peering will succeed only if both routers are configured for authentication
and have the same password. If your router has authentication configured
and the neighbor does not, your router will display the error message
“%TCP-6-BADAUTH: No MD5 digest from peer’s-IP-address:11003 to
local-router’s-IP-address:179.”If the neighbor router is configured with a nonmatching password, your
router will display the error message “%TCP-6-BADAUTH: Invalid MD5
digest from peer’s-IP-address:11004 to local-router’s-IP-address:179.”
If a router has a password configured for a neighbor, but the neighbor router
does not, a message such as the following will display on the console while
the routers attempt to establish a BGP session between them:
%TCP-6-BADAUTH: No MD5 digest from [peer’s IP address]:11003 to
[local router’s IP address]:179
Similarly, if the two routers have different passwords configured, a message
such as the following will display on the screen:
%TCP-6-BADAUTH: Invalid MD5 digest from [peer’s IP address]:11004
to [local router’s IP address]:179
CCNP