The peer password command enables BGP peer to perform set Message Digest 5 (MD5) authentication for the TCP connection between two BGP peers.
The undo peer password command disables this function.
By default, this function is disabled.
peer { group-name | ipv4-address | ipv6-address } password { cipher cipher-password | simple simple-password }
undo peer { group-name | ipv4-address | ipv6-address } password
| Parameter | Description | Value |
|---|---|---|
group-name |
Specifies the name of the peer group. |
The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
ipv4-address |
Specifies the IPv4 address of the peer. |
It is in dotted decimal notation. |
ipv6-address |
Specifies the IPv6 address of the peer. |
The address is a 32-digit hexadecimal number in the X:X:X:X:X:X:X:X format. |
cipher cipher-password |
Specifies the string of the cipher text password. |
You can type the plain text of 1 to 255 characters without any space, or the cipher text of 20 to 392 characters without any space. |
simple simple-password |
Specifies the password in the plain text. NOTE:
When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in plaintext if you select simple mode, which has a high risk. To ensure device security, change the password periodically. |
It is a string of 1 to 255 characters without any space. |
BGP view, BGP-VPN instance IPv4 address family view, BGP-VPN instance IPv6 address family view
Usage Scenario
The peer password command can be used to configure MD5 authentication for BGP packets exchanged during the establishment of a TCP connection between peers, improving BGP security.
A password can be set either in cipher text or plain text. A plain text password is a configured character string that is directly recorded in a configuration file. A cipher text password is a character string that is encrypted by using a special algorithm and then recorded in a configuration file.
Prerequisites
The peer as-number command has been used to create a peer or peer group.
Configuration Impact
BGP uses TCP as the transport layer protocol. To enhance BGP security, MD5 authentication can be implemented for BGP packets exchanged during the establishment of a TCP connection. MD5 authentication, however, does not authenticate BGP packets. Instead, it sets the MD5 authentication password for the TCP connection, and the authentication is performed by TCP. If authentication fails, no TCP connection is established.
Precautions
MD5 authentication and Keychain authentication are mutually exclusive on a peer.
After the peer password command is run on a device to enable MD5 authentication, the device will re-establish the peer relationship with its peer.
If you want to add a BGP peer on which the peer password command has been run to a peer group on which the command has also been run and enable the BGP peer to inherit the authentication configuration of the peer group, run the undo peer password command first before running the peer group command to add the BGP peer to the peer group.
The space is not allowed in the password.