Set up MD5 authentication on third-party routers
If you configure MD5 authentication when establishing a Border Gateway Protocol (BGP) session by using Cloud Router, you must also configure MD5 authentication on the peer router. The following sections include guidance specific to several third-party routers.
MD5 is a method of BGP peer authentication that uses the MD5 message-digest algorithm. When you use this approach, BGP peers must use the same authentication key, or a connection cannot be established between them. Later, every segment routed between the peers is verified. For more information about MD5 authentication, see RFC 2385. For more information about using MD5 authentication with Cloud Router, see Use MD5 authentication.
Arista EOS
The following sections describe how to use MD5 authentication with Arista Extensible Operating System (EOS) devices.
For more information, see the Arista documentation.
Configure MD5 authentication
To configure MD5 authentication, log in to the Arista router and associate the BGP peer with your secret key:
router bgp ASN neighbor CLOUD_ROUTER_IP_ADDRESS password SECRET_KEY
Replace the following values:
ASN: the ASN for the Arista side of the BGP sessionCLOUD_ROUTER_IP_ADDRESS: the IP address of the Cloud Router that you are peering withSECRET_KEY: your secret MD5 authentication key; make sure you use the same key that you used to configure the corresponding BGP session on the Cloud Router
Verify the configuration
After committing the configuration, verify it:
show running-config
In the output, look for the following details.
.. router bgpASN... neighborCLOUD_ROUTER_IP_ADDRESSpasswordENCRYPTED_KEY_STRING...
In this output, ENCRYPTED_KEY_STRING is an encrypted string
that represents your secret key.
Verify routes
To verify routes, run the following command.
show ip route bgp
Verify status
To view the status of a BGP neighbor, run the following command.
show ip bgp neighbors CLOUD_ROUTER_IP_ADDRESS
Replace CLOUD_ROUTER_IP_ADDRESS with the IP address of the
neighbor.
Cisco IOS and IOS-XE
The following sections describe how to use MD5 authentication with Cisco IOS and IOS-XE devices.
For more information, see MD5 Authentication Between BGP Peers Configuration Example in the Cisco documentation.
Configure MD5 authentication
To configure MD5, log in to the Cisco router and associate the BGP peer with your secret key:
router bgp ASN neighbor CLOUD_ROUTER_IP_ADDRESS password SECRET_KEY !
Replace the following values:
ASN: the ASN for the Cisco side of the BGP sessionCLOUD_ROUTER_IP_ADDRESS: the IP address of the Cloud Router that you are peering withSECRET_KEY: your secret MD5 authentication key; make sure you use the same key that you used to configure the corresponding BGP session on the Cloud Router
Verify the configuration
After committing the configuration, verify it:
show running-config
In the output, look for the following details:
.. router bgpASN... neighborCLOUD_ROUTER_IP_ADDRESSpassword......
Verify routes
To verify routes, run the following command.
show ip route bgp
Verify status
To view the status of a BGP neighbor, run the following command.
show ip bgp neighbors CLOUD_ROUTER_IP_ADDRESS
Replace CLOUD_ROUTER_IP_ADDRESS with the IP address of the
neighbor.
Juniper JunOS
The following sections describe how to use MD5 authentication with Juniper JunOS devices.
For additional information, see the Juniper documentation.
Configure MD5 authentication
To configure MD5, log in to the Juniper router and associate the BGP peer with your secret key:
set protocols bgp group YOUR_PEER_GROUP neighbor CLOUD_ROUTER_IP_ADDRESS SECRET_KEY
Replace the following values:
YOUR_PEER_GROUP: the BGP peer groupCLOUD_ROUTER_IP_ADDRESS: the IP address of the Cloud Router that you are peering withSECRET_KEY: your secret MD5 authentication key; make sure you use the same key that you used to configure the corresponding BGP session on the Cloud Router
Verify the configuration
After committing the configuration, verify it:
show configuration
In the output, look for the following details.
bgp {
group YOUR_PEER_GROUP {
...
neighbor CLOUD_ROUTER_IP_ADDRESS {
authentication-key ENCRYPTED_KEY_STRING; ## SECRET-DATA
...
}
}
}
In this output, ENCRYPTED_KEY_STRING is an encrypted string
that represents your secret key.
Verify routes
To verify routes, run the following command.
show ip route bgp
Verify status
To view the status of a BGP neighbor, run the following command.
show ip bgp neighbors CLOUD_ROUTER_IP_ADDRESS
Replace CLOUD_ROUTER_IP_ADDRESS with the IP address of the
neighbor.
Palo Alto Networks VM-Series
The following sections describe how to use MD5 authentication with Palo Alto Networks VM-Series devices.
For more information, see the Palo Alto Networks documentation.
Configure MD5 authentication
In the PAN-OS Web Interface, complete the following steps:
Select Network > Virtual Routers > ROUTER_NAME > BGP > Create a new Auth Profile.
In the Auth Profile window, enter values for each of the following:
- Profile Name
- Secret/Confirm Secret
Make sure you use the same secret key that you used to configure the BGP session on the Cloud Router.
Apply your new authentication profile to the BGP session:
Go to Network > Virtual Routers > ROUTER_NAME > BGP > Peer Group > YOUR PEER GROUP > YOUR BGP PEER > Connection Options.
In the Auth Profile field, select the authentication profile that you just created.
Click OK.
Verify the configuration
After you have configured MD5 authentication, verify it by using the PAN-OS Web Interface. To view details about the configuration, go to Network > Virtual Routers > More Runtime Stats > BGP > Peer.
Verify routes
To verify routes by using the PAN-OS Web Interface, complete the following steps:
Select Network > Virtual Routers.
In the row that corresponds with the virtual router that you are interested in, click More Runtime Stats.
Select Routing > Route Table.
Verify status
To verify BGP peer status by using the PAN-OS Web Interface, complete the following steps:
Select Network > Virtual Routers.
In the row that corresponds with the virtual router that you are interested in, click More Runtime Stats.
Select BGP > Peer.
Quagga
The following sections describe how to use MD5 authentication with Quagga devices.
For more information, see the Quagga documentation.
Configure MD5 authentication
To configure MD5, log in to the Quagga router and associate the BGP peer with your secret key:
router bgp ASN neighbor CLOUD_ROUTER_IP_ADDRESS password SECRET_KEY !
Replace the following values:
ASN: the ASN for the Quagga side of the BGP sessionCLOUD_ROUTER_IP_ADDRESS: the IP address of the Cloud Router that you are peering withSECRET_KEY: your secret MD5 authentication key; make sure you use the same key that you used to configure the corresponding BGP session on the Cloud Router
Verify the configuration
After committing the configuration, verify it:
show running-config
In the output, look for the following details.
.. router bgpASN... neighborCLOUD_ROUTER_IP_ADDRESSpasswordENCRYPTED_KEY_STRING...
In this output, ENCRYPTED_KEY_STRING is an encrypted string
that represents your secret key.
Verify routes
To view the route table, run the following command.
show ip bgp
For more information, see the Quagga documentation for this command.
Verify status
To verify BGP status, use the following command.
show ip bgp neighbor CLOUD_ROUTER_IP_ADDRESS
Replace CLOUD_ROUTER_IP_ADDRESS with the IP address of the
neighbor.