Use the efa fabric setting
update command to set or clear the MD5 password on a new
fabric.
Here is the efa fabric setting
update command:
efa fabric setting update --name <fabric-name> --md5-password-enable <yes/no> --md5-password <password>
If the command is entered with md5-password-enable as “yes” but
without the md5-password option, then a prompt is displayed to
input string and the password string entered using the prompt is not displayed on
the screen.
Note
When providing a password string in the command line, that is usingefa fabric setting update --name <fabric-name> --md5-password
<password>, if the string contains special characters, then you
must enclose the string in single quotes. For example efa fabric setting
update --name fabric1 --md5-password ‘pass%!‘. Enclosing the
password string in single quotes is not required when the string is entered
using the prompt. After setting the md5-password, you must configure the fabric, using
the command efa fabric configure --name <fabric-name>, to apply
this MD5 password on fabric devices so that the BGP neighbor sessions are
authenticated.
When you configure the md5-password on a fabric that has just been
created, or a fabric that has not yet been configured, there is no change in the
device app-state. However, if the md5-password is
set after the fabric is configured, there is a new app-state, the
fabric setting is refreshed (and devices will be set to), indicating the fabric
properties have been modified and the fabric has to be reconfigured to apply the new
settings. As part of fabric configuration, when the MD5 password was successfully
configured on all the fabric links on a device, the app state on that device will go
back to cfg-in-sync state.
efa fabric configure --name fabric1
efa fabric setting update --name fabric1 --md5-password-enable no efa fabric configure --name fabric1
When
you configure the md5-password on a fabric that has just
been created, or a fabric that has not yet been configured, there is no
change in the device app-state. However, if the
md5-password is set after the fabric is configured, the
fabric status is set to settings-updated along with the
field BGP-MD5 , indicating that settings have been updated.
This indicates that the fabric properties have been modified and the fabric
has to be reconfigured to apply the new settings. As part of fabric
configure, when the devices are successfully configured, the fabric status
will go back to
configure-success.
Example
Fabric Name: fabric1, Fabric Description: , Fabric Stage: 3, Fabric Type: clos, Fabric Status: settings-updated Updated Fabric Settings: BGP-MD5 +---------------+-----+-----------+-------+-------+--------------+---------------------------+-------------------+-----------------+---------+-------+ | IP ADDRESS | POD | HOST NAME | ASN | ROLE | DEVICE STATE | APP STATE | CONFIG GEN REASON | PENDING CONFIGS | VTLB ID | LB ID | +---------------+-----+-----------+-------+-------+---------------+--------------------------+-------------------+-----------------+---------+-------+ | 10.17.112.223 | | spine1 | 64512 | spine | provisioned | cfg in-sync | MD5 | MD5-U | NA | 1 | | 10.17.112.224 | | spine2 | 64512 | spine | provisioned | cfg in-sync | MD5 | MD5-U | NA | 1 | | 10.17.112.221 | | leaf1 | 65002 | leaf | provisioned | cfg in-sync | MD5 | MD5-U | 2 | 1 | | 10.17.112.222 | | leaf2 | 65002 | leaf | provisioned | cfg in-sync | MD5 | MD5-U | 2 | 1 | | 10.17.112.225 | | leaf3 | 65000 | leaf | provisioned | cfg in-sync | MD5 | MD5-U | 2 | 1 | | 10.17.112.226 | | leaf4 | 65000 | leaf | provisioned | cfg in-sync | MD5 | MD5-U | 2 | 1 | +---------------+-----+-----------+-------+-------+---------------+--------------------------+-------------------+-----------------+---------+-------+ FABRIC SETTING: BGPLL - BGP Dynamic Peer Listen Limit, BGP-MD5 - BGP MD5 Password CONFIG GEN REASON: LD - Link Delete, LA - Link Add, IU - Interface Update, PLC - IPPrefixList Create, PLD - IPPrefixList Delete, PLU - IPPrefixList Update MD/MU - MCT Delete/Update, OD - Overlay Gateway Delete, OU - Overlay Gateway Update, ED - Evpn Delete, PC - RouterPim Create, PD - RouterPim Delete, BGP – BGP Config DD - Dependent Device Update, DA - Device Add, DR - Device ReAdd, ASN - Asn Update, PU - RouterPim Update, SYS - System Properties Update, NA - Not Applicable PENDING CONFIGS: MCT - MCT Cluster, O - Overlay Gateway, SYSP - System Properties, INTIP - Interface IP, BGP – BGP Config C/D/U - Create/Delete/Update, PA/PD - Port Add/Port Delete For App or Device Error/Failure reason, run "efa fabric error show" for details For config refresh reason, run "efa fabric debug config-gen-reason" for details
Note
When the MD5 password is updated, for the new configuration to take effect, the neighbor sessions have to be cleared, resulting in a network outage until the new sessions are established. Since the configuration of the MD5 password toggles the network, a new warning message with a confirmation is provided indicating the impact of themd5-password setting on an active fabric, before it is
applied. This warning message is displayed only when there is a need to
reconfigure the fabric, that is, the password is set after the fabric is
configured.
efa fabric setting modify --name fabric1 --md5-password-enable yes Please supply a password for BGP MD5 authentication on fabric links: WARNING: configuring/clearing md5-password on an active fabric will result in BGP neighborsessions going down for a brief period when the fabric is reconfigured. Please confirm if you want to continue with the fabric setting update [y/n]?