Configure BGP MD5 Authentication for Tenant BGP Peer-group

You can provide an MD5 password during BGP peer-group create or update operations.

Procedure

  1. Use the efa tenant service bgp peer-group create command to create the peer group. 
    efa tenant service bgp peer-group create 
           --name <bgp-pg-name> --tenant <tenant-name>
           --pg-name <device-ip:pg-name> --pg-asn <device-ip,pg-name:remote-asn>
           --pg-bfd-enable <device-ip,pg-name:true|false> 
           --pg-md5-password <device-ip,pg-name:md5-password>
  2. Use the efa tenant service bgp peer-group update command to update the peer group. 
    efa tenant service bgp peer-group update 
           --name <bgp-pg-name> --tenant <tenant-name> 
           --operation peer-group-add 
           --pg-name <device-ip:pg-name> --pg-asn <device-ip,pg-name:remote-asn>
           --pg-bfd-enable <device-ip,pg-name:true|false> 
           --pg-md5-password <device-ip,pg-name:md5-password>

    Example

    efa tenant service bgp peer-group create 
           --name ten1bgppg1 --tenant ten1 
           --pg-name 10.20.246.15:pg1 --pg-asn 10.20.246.15,pg1:55001 
           --pg-bfd-enable 10.20.246.15,pg1:true 
           --pg-md5-password 10.20.246.15,pg1:password 
           --pg-name 10.20.246.16:pg1 --pg-asn 10.20.246.16,pg1:55001 
           --pg-bfd-enable 10.20.246.16,pg1:true 
           --pg-md5-password 10.20.246.16,pg1:password

efa tenant service bgp peer-group update 
           --name ten1bgppg1 --tenant ten1 
           --operation peer-group-add 
           --pg-name 10.20.246.15:pg2 --pg-asn 10.20.246.15,pg2:55002 
           --pg-bfd-enable 10.20.246.15,pg2:true 
           --pg-md5-password 10.20.246.15,pg2:password1 
           --pg-name 10.20.246.16:pg2 --pg-asn 10.20.246.16,pg2:55002 
           --pg-bfd-enable 10.20.246.16,pg2:true 
           --pg-md5-password 10.20.246.16,pg2:password1

    efa tenant service bgp peer-group show --detail
============================================================================================
Name             : ten1bgppg1
Tenant           : ten1
State            : bgp-pg-state-created

Peer Group
----------
        Device IP        : 10.20.246.15
        Peer Group       : pg1
        Remote ASN       : 55001
        Next Hop Self    : false
        BFD Enabled      : true
        BFD Interval     :
        BFD Rx           :
        BFD Multiplier   :
	MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.15
        Peer Group       : pg2
        Remote ASN       : 55002
        Next Hop Self    : false
        BFD Enabled      : true
        BFD Interval     :
        BFD Rx           :
        BFD Multiplier   :
        MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.16
        Peer Group       : pg1
        Remote ASN       : 55001
        Next Hop Self    : false
        BFD Enabled      : true
        BFD Interval     :
        BFD Rx           :
        BFD Multiplier   :
	MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.16
        Peer Group       : pg2
        Remote ASN       : 55002
        Next Hop Self    : false
        BFD Enabled      : true
        BFD Interval     :
        BFD Rx           :
        BFD Multiplier   :
	MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA==
        Dev State        : provisioned
        App State        : cfg-in-sync
============================================================================================
  3. Complete the following configuration on SLX. 
    L1# show running-config router bgp
router bgp
 local-as 4200000000
 capability as4-enable
 fast-external-fallover
 neighbor pg1 peer-group
 neighbor pg1 remote-as 55001
 neighbor pg1 password $9$MCgKGaNt6OASX68/7TC6Lw==
 neighbor pg1 bfd
 neighbor pg2 peer-group
 neighbor pg2 remote-as 55002
 neighbor pg2 password $9$ufD04Gw+49ex4H8UtvifqA==
 neighbor pg2 bfd
 neighbor 10.20.20.4 remote-as 4200000000
 neighbor 10.20.20.4 next-hop-self
 address-family ipv4 unicast
  network 172.31.254.46/32
  network 172.31.254.123/32
  maximum-paths 8
  graceful-restart
 !
 address-family ipv4 unicast vrf ten1vrf1
  redistribute connected
  maximum-paths 8
 !
 address-family ipv6 unicast
 !
 address-family ipv6 unicast vrf ten1vrf1
  redistribute connected
  maximum-paths 8
 !
 address-family l2vpn evpn
  graceful-restart
 !
!

    L2# show running-config router bgp
router bgp
 local-as 4200000000
 capability as4-enable
 fast-external-fallover
 neighbor pg1 peer-group
 neighbor pg1 remote-as 55001
 neighbor pg1 password $9$MCgKGaNt6OASX68/7TC6Lw==
 neighbor pg1 bfd
 neighbor pg2 peer-group
 neighbor pg2 remote-as 55002
 neighbor pg2 password $9$ufD04Gw+49ex4H8UtvifqA==
 neighbor pg2 bfd
 neighbor 10.20.20.5 remote-as 4200000000
 neighbor 10.20.20.5 next-hop-self
 address-family ipv4 unicast
  network 172.31.254.46/32
  network 172.31.254.176/32
  maximum-paths 8
  graceful-restart
 !
 address-family ipv4 unicast vrf ten1vrf1
  redistribute connected
  maximum-paths 8
 !
 address-family ipv6 unicast
 !
 address-family ipv6 unicast vrf ten1vrf1
  redistribute connected
  maximum-paths 8
 !
 address-family l2vpn evpn
  graceful-restart
 !
!
    Note

    Note

    The MD5 password cannot be set or unset on an existing BGP peer-group present within a peer-group instance. You need to remove the BGP peer-group from the BGP peer-group instance and then add back the BGP peer-group to the peer-group instance with the desired MD5 password configuration.
9037430-00 Rev AA