Extreme Fabric Automation Security Guide

Run the efa tenant service bgp peer create command to create the peer.

efa tenant service bgp peer create 
           --name <bgp-peer-name> --tenant <tenant-name> 
           --ipv4-uc-nbr <device-ip,vrf-name:neighbor-ip,remote-asn> 
           --ipv4-uc-nbr-bfd <device-ip,vrf-name:neighbor-ip,true|false> 
           --ipv4-uc-nbr-md5-password <device-ip,vrf-name:neighborip,
ipv4-md5-password>

Run the efa tenant service bgp peer update command to update the peer.

efa tenant service bgp peer update 
           --name <bgp-peer-name> --tenant <tenant-name> 
           --operation peer-add
           --ipv4-uc-nbr <device-ip,vrf-name:neighbor-ip,remote-asn> 
           --ipv4-uc-nbr-bfd <device-ip,vrf-name:neighbor-ip,true|false> 
           --ipv4-uc-nbr-md5-password <device-ip,vrf-name:neighborip,
ipv4-md5-password>

Example

efa tenant service bgp peer create 
           --name ten1bgppeer1 --tenant ten1 
           --ipv4-uc-nbr 10.20.246.15,ten1vrf1:10.20.30.40,50000 
           --ipv4-uc-nbr-bfd 10.20.246.15,ten1vrf1:10.20.30.40,true 
           --ipv4-uc-nbr-md5-password 10.20.246.15,ten1vrf1:10.20.30.40,password 
           --ipv4-uc-nbr 10.20.246.16,ten1vrf1:10.20.30.40,50000 
           --ipv4-uc-nbr-bfd 10.20.246.16,ten1vrf1:10.20.30.40,true 
           --ipv4-uc-nbr-md5-password 10.20.246.16,ten1vrf1:10.20.30.40,password
efa tenant service bgp peer update 
           --name ten1bgppeer1 --tenant ten1 
           --operation peer-add 
           --ipv4-uc-nbr 10.20.246.15,ten1vrf1:10.20.30.50,50000 
           --ipv4-uc-nbr-bfd 10.20.246.15,ten1vrf1:10.20.30.50,true 
           --ipv4-uc-nbr-md5-password 10.20.246.15,ten1vrf1:10.20.30.50,password1 
           --ipv4-uc-nbr 10.20.246.16,ten1vrf1:10.20.30.50,50000 
           --ipv4-uc-nbr-bfd 10.20.246.16,ten1vrf1:10.20.30.50,true 
           --ipv4-uc-nbr-md5-password 10.20.246.16,ten1vrf1:10.20.30.50,password1

efa tenant service bgp peer show --detail ============================================================ Name : ten1bgppeer1 Tenant : ten1 State : bs-state-created Description : Static Peer ----------- Device IP : 10.20.246.15 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.40 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw== Dev State : provisioned App State : cfg-in-sync Device IP : 10.20.246.15 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.50 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA== Dev State : provisioned App State : cfg-in-sync	Device IP : 10.20.246.16 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.40 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw== Dev State : provisioned App State : cfg-in-sync Device IP : 10.20.246.16 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.50 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA== Dev State : provisioned App State : cfg-in-sync Dynamic Peer ----------- 0 Records 0 Records ===========================================================

efa tenant service bgp peer show --detail
============================================================
Name             : ten1bgppeer1
Tenant           : ten1
State            : bs-state-created
Description      :

Static Peer
-----------
        Device IP        : 10.20.246.15
        VRF              : ten1vrf1
        AFI              : ipv4
        SAFI             : unicast
        Remote IP        : 10.20.30.40
        Remote ASN       : 50000
        Next Hop Self    : false
        Update Source IP :
        BFD Enabled      : true
        BFD Interval     : 0
        BFD Rx           : 0
        BFD Multiplier   : 0
        MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.15
        VRF              : ten1vrf1
        AFI              : ipv4
        SAFI             : unicast
        Remote IP        : 10.20.30.50
        Remote ASN       : 50000
        Next Hop Self    : false
        Update Source IP :
        BFD Enabled      : true
        BFD Interval     : 0
        BFD Rx           : 0
        BFD Multiplier   : 0
        MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.16
        VRF              : ten1vrf1
        AFI              : ipv4
        SAFI             : unicast
        Remote IP        : 10.20.30.40
        Remote ASN       : 50000
        Next Hop Self    : false
        Update Source IP :
        BFD Enabled      : true
        BFD Interval     : 0
        BFD Rx           : 0
        BFD Multiplier   : 0
        MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw==
        Dev State        : provisioned
        App State        : cfg-in-sync

        Device IP        : 10.20.246.16
        VRF              : ten1vrf1
        AFI              : ipv4
        SAFI             : unicast
        Remote IP        : 10.20.30.50
        Remote ASN       : 50000
        Next Hop Self    : false
        Update Source IP :
        BFD Enabled      : true
        BFD Interval     : 0
        BFD Rx           : 0
        BFD Multiplier   : 0
        MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA==
        Dev State        : provisioned
        App State        : cfg-in-sync
Dynamic Peer
-----------
        0 Records
        0 Records
===========================================================

Complete the configuration on SLX as provided in the following example.

L1# show running-config router bgp router bgp local-as 4200000000 capability as4-enable fast-external-fallover neighbor 10.20.20.4 remote-as 4200000000 neighbor 10.20.20.4 next-hop-self address-family ipv4 unicast network 172.31.254.46/32 network 172.31.254.123/32 maximum-paths 8 graceful-restart ! address-family ipv4 unicast vrf ten1vrf1 redistribute connected neighbor 10.20.30.40 remote-as 50000 neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw== neighbor 10.20.30.40 bfd neighbor 10.20.30.50 remote-as 50000 neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA== neighbor 10.20.30.50 bfd maximum-paths 8 ! address-family ipv6 unicast ! address-family ipv6 unicast vrf ten1vrf1 redistribute connected maximum-paths 8 ! address-family l2vpn evpn graceful-restart ! !	L2# show running-config router bgp router bgp local-as 4200000000 capability as4-enable fast-external-fallover neighbor 10.20.20.5 remote-as 4200000000 neighbor 10.20.20.5 next-hop-self address-family ipv4 unicast network 172.31.254.46/32 network 172.31.254.176/32 maximum-paths 8 graceful-restart ! address-family ipv4 unicast vrf ten1vrf1 redistribute connected neighbor 10.20.30.40 remote-as 50000 neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw== neighbor 10.20.30.40 bfd neighbor 10.20.30.50 remote-as 50000 neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA== neighbor 10.20.30.50 bfd maximum-paths 8 ! address-family ipv6 unicast ! address-family ipv6 unicast vrf ten1vrf1

L1# show running-config router bgp
router bgp
 local-as 4200000000
 capability as4-enable
 fast-external-fallover
 neighbor 10.20.20.4 remote-as 4200000000
 neighbor 10.20.20.4 next-hop-self
 address-family ipv4 unicast
  network 172.31.254.46/32
  network 172.31.254.123/32
  maximum-paths 8
  graceful-restart
 !
 address-family ipv4 unicast vrf ten1vrf1
  redistribute connected
  neighbor 10.20.30.40 remote-as 50000
  neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw==
  neighbor 10.20.30.40 bfd
  neighbor 10.20.30.50 remote-as 50000
  neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA==
  neighbor 10.20.30.50 bfd
  maximum-paths 8
 !
 address-family ipv6 unicast
 !
 address-family ipv6 unicast vrf ten1vrf1
  redistribute connected
  maximum-paths 8
 !
 address-family l2vpn evpn
  graceful-restart
 !
!

L2# show running-config router bgp
router bgp
 local-as 4200000000
 capability as4-enable
 fast-external-fallover
 neighbor 10.20.20.5 remote-as 4200000000
 neighbor 10.20.20.5 next-hop-self
 address-family ipv4 unicast
  network 172.31.254.46/32
  network 172.31.254.176/32
  maximum-paths 8
  graceful-restart
 !
 address-family ipv4 unicast vrf ten1vrf1
  redistribute connected
  neighbor 10.20.30.40 remote-as 50000
  neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw==
  neighbor 10.20.30.40 bfd
  neighbor 10.20.30.50 remote-as 50000
  neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA==
  neighbor 10.20.30.50 bfd
  maximum-paths 8
 !
 address-family ipv6 unicast
 !
 address-family ipv6 unicast vrf ten1vrf1

Note

The MD5 password cannot be set or unset on an existing BGP peer present within a peer instance. You need to remove the BGP peer from the BGP peer instance and then add back the BGP peer to the peer instance with the desired MD5 password configuration.

Configure BGP MD5 Authentication for Tenant BGP Peer

About this task

Procedure