Bgp Keychains; Configure Keychains For Bgp - Cisco NCS 5500 Series Configuration Manual

Implementing BGP

BGP Keychains

BGP keychains enable keychain authentication between two BGP peers. The BGP endpoints must both comply
with draft-bonica-tcp-auth-05.txt and a keychain on one endpoint and a password on the other endpoint does
not work.
BGP is able to use the keychain to implement hitless key rollover for authentication. Key rollover specification
is time based, and in the event of clock skew between the peers, the rollover process is impacted. The
configurable tolerance specification allows for the accept window to be extended (before and after) by that
margin. This accept window facilitates a hitless key rollover for applications (for example, routing and
management protocols).
The key rollover does not impact the BGP session, unless there is a keychain configuration mismatch at the
endpoints resulting in no common keys for the session traffic (send or accept).

Configure Keychains for BGP

Keychains provide secure authentication by supporting different MAC authentication algorithms and provide
graceful key rollover. Perform this task to configure keychains for BGP. This task is optional.
Note If a keychain is configured for a neighbor group or a session group, a neighbor using the group inherits
the keychain. Values of commands configured specifically for a neighbor override inherited values.
SUMMARY STEPS
1. configure
2. router bgp as-number
3. neighbor ip-address
4. remote-as as-number
5. keychain name
6. commit
DETAILED STEPS
Step 1 configure
Step 2 router bgp as-number
Example:
RP/0/RP0/CPU0:router(config)# router bgp 120
Specifies the autonomous system number and enters the BGP configuration mode, allowing you to configure the BGP
routing process.
Step 3 neighbor ip-address
BGP Configuration Guide for Cisco NCS 5500 Series Routers, IOS XR Release 6.2.x
BGP Keychains
65