Configure BGP MD5 Authentication for Tenant BGP Peer
About this task
Provide md5-password during BGP peer create or update operations.
Procedure
-
Run the efa tenant
service bgp peer create command to create the peer.
efa tenant service bgp peer create --name <bgp-peer-name> --tenant <tenant-name> --ipv4-uc-nbr <device-ip,vrf-name:neighbor-ip,remote-asn> --ipv4-uc-nbr-bfd <device-ip,vrf-name:neighbor-ip,true|false> --ipv4-uc-nbr-md5-password <device-ip,vrf-name:neighborip, ipv4-md5-password>
-
Run the efa tenant service bgp peer update command to update
the peer.
efa tenant service bgp peer update --name <bgp-peer-name> --tenant <tenant-name> --operation peer-add --ipv4-uc-nbr <device-ip,vrf-name:neighbor-ip,remote-asn> --ipv4-uc-nbr-bfd <device-ip,vrf-name:neighbor-ip,true|false> --ipv4-uc-nbr-md5-password <device-ip,vrf-name:neighborip, ipv4-md5-password>
Example
efa tenant service bgp peer create --name ten1bgppeer1 --tenant ten1 --ipv4-uc-nbr 10.20.246.15,ten1vrf1:10.20.30.40,50000 --ipv4-uc-nbr-bfd 10.20.246.15,ten1vrf1:10.20.30.40,true --ipv4-uc-nbr-md5-password 10.20.246.15,ten1vrf1:10.20.30.40,password --ipv4-uc-nbr 10.20.246.16,ten1vrf1:10.20.30.40,50000 --ipv4-uc-nbr-bfd 10.20.246.16,ten1vrf1:10.20.30.40,true --ipv4-uc-nbr-md5-password 10.20.246.16,ten1vrf1:10.20.30.40,password efa tenant service bgp peer update --name ten1bgppeer1 --tenant ten1 --operation peer-add --ipv4-uc-nbr 10.20.246.15,ten1vrf1:10.20.30.50,50000 --ipv4-uc-nbr-bfd 10.20.246.15,ten1vrf1:10.20.30.50,true --ipv4-uc-nbr-md5-password 10.20.246.15,ten1vrf1:10.20.30.50,password1 --ipv4-uc-nbr 10.20.246.16,ten1vrf1:10.20.30.50,50000 --ipv4-uc-nbr-bfd 10.20.246.16,ten1vrf1:10.20.30.50,true --ipv4-uc-nbr-md5-password 10.20.246.16,ten1vrf1:10.20.30.50,password1
efa tenant service bgp peer show --detail ============================================================ Name : ten1bgppeer1 Tenant : ten1 State : bs-state-created Description : Static Peer ----------- Device IP : 10.20.246.15 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.40 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw== Dev State : provisioned App State : cfg-in-sync Device IP : 10.20.246.15 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.50 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA== Dev State : provisioned App State : cfg-in-sync
Device IP : 10.20.246.16 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.40 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$MCgKGaNt6OASX68/7TC6Lw== Dev State : provisioned App State : cfg-in-sync Device IP : 10.20.246.16 VRF : ten1vrf1 AFI : ipv4 SAFI : unicast Remote IP : 10.20.30.50 Remote ASN : 50000 Next Hop Self : false Update Source IP : BFD Enabled : true BFD Interval : 0 BFD Rx : 0 BFD Multiplier : 0 MD5 Password : $9$ufD04Gw+49ex4H8UtvifqA== Dev State : provisioned App State : cfg-in-sync Dynamic Peer ----------- 0 Records 0 Records ===========================================================
-
Complete the configuration on
SLX as provided in the following example.
L1# show running-config router bgp router bgp local-as 4200000000 capability as4-enable fast-external-fallover neighbor 10.20.20.4 remote-as 4200000000 neighbor 10.20.20.4 next-hop-self address-family ipv4 unicast network 172.31.254.46/32 network 172.31.254.123/32 maximum-paths 8 graceful-restart ! address-family ipv4 unicast vrf ten1vrf1 redistribute connected neighbor 10.20.30.40 remote-as 50000 neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw== neighbor 10.20.30.40 bfd neighbor 10.20.30.50 remote-as 50000 neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA== neighbor 10.20.30.50 bfd maximum-paths 8 ! address-family ipv6 unicast ! address-family ipv6 unicast vrf ten1vrf1 redistribute connected maximum-paths 8 ! address-family l2vpn evpn graceful-restart ! !
L2# show running-config router bgp router bgp local-as 4200000000 capability as4-enable fast-external-fallover neighbor 10.20.20.5 remote-as 4200000000 neighbor 10.20.20.5 next-hop-self address-family ipv4 unicast network 172.31.254.46/32 network 172.31.254.176/32 maximum-paths 8 graceful-restart ! address-family ipv4 unicast vrf ten1vrf1 redistribute connected neighbor 10.20.30.40 remote-as 50000 neighbor 10.20.30.40 password $9$MCgKGaNt6OASX68/7TC6Lw== neighbor 10.20.30.40 bfd neighbor 10.20.30.50 remote-as 50000 neighbor 10.20.30.50 password $9$ufD04Gw+49ex4H8UtvifqA== neighbor 10.20.30.50 bfd maximum-paths 8 ! address-family ipv6 unicast ! address-family ipv6 unicast vrf ten1vrf1
Note
The MD5 password cannot be set or unset on an existing BGP peer present within a peer instance. You need to remove the BGP peer from the BGP peer instance and then add back the BGP peer to the peer instance with the desired MD5 password configuration.