Adding BGP auth to existing neighborship

Hi, maybe someone can help or has experience on this. During review we have found BGP session without authentication. We now need to add this part to the existing session.

Is there any process to follow when adding authentication to an existing BPG neighbor session? Means can the authentication be added “on the fly” from both ends while the BGP is still being active? Or should BGP neighbor be deactivated for the change? Of course, downtime has to be as small as possible :slight_smile:

Thanks & Best regards, Chris

Hello Christian

Enabling MD5 authentication on a BGP peering involves a single command on each of the two peers. Specifically, it is a command in the following form:

neighbor 80.80.80.80 password cisco

where “cisco” is the password that must be used on both ends of the peering.

When you configure or change the password on one peer, the neighbor will not tear down the peering until the holddown timer expires. By default, the holddown timer is 3 minutes or 180 seconds. If you change the password on the neighbor before that holddown timer expires, then the peering will remain up. Theoretically, you will have no disruption in your network.

However, it is always a good idea to perform such changes during a maintenance window.

For more information, take a look at this NetworkLessons Note on BGP Authentication.

I hope this has been helpful!

Laz

Thanks Laz for confirming. This what I have tested as well, but yes, this will be done during maintenance window :slight_smile:

1 Like