The peer keychain command configures the keychain authentication for establishing the TCP connection between BGP peers.
The undo peer keychain command restores the default setting.
By default, the keychain authentication is not configured for BGP peers.
Product |
Support |
|---|---|
S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S |
Supported |
S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI |
Not supported |
peer { group-name | ipv4-address } keychain keychain-name
undo peer { group-name | ipv4-address } keychain
| Parameter | Description | Value |
|---|---|---|
group-name |
Specifies the name of a BGP peer group. |
The name is a string of 1 to 47 case-sensitive characters, with spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
ipv4-address |
Specifies the IPv4 address of a BGP peer. |
It is in dotted decimal notation. |
keychain-name |
Specifies the name of the keychain authentication. |
The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string. |
Usage Scenario
Configuring keychain authentication improves the security of the TCP connection. You must configure keychain authentication specified for TCP-based applications on both BGP peers. Note that encryption algorithms and passwords configured for the keychain authentication on both peers must be the same; otherwise, the TCP connection cannot be set up between BGP peers and BGP messages cannot be transmitted.
Prerequisites
Peer relationships have been established using the peer as-number command.
Before configuring the BGP keychain authentication, a keychain in accordance with the configured keychain-name must be configured first. For keychain configuration details, see Keychain Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.
Precautions
The peer keychain command and the peer password command are mutually exclusive. SHA256 and HMAC-SHA256 encryption algorithm are recommended in keychain authentication.