BGP MD5 Authentication


You are working for a networking site and responsible for creating labs. After a day of working on BGP labs you notice you don’t have any lab on MD5 authentication. BGP authentication is one of the features that is not too spectacular but you need to write an article to show other network gurus how it works…let’s see if you can do it!


  • All IP addresses have been preconfigured for you as specified in the topology picture.
  • Configure EBGP between AS 1 and AS 2.
  • Configure MD5 authentication between router Piece and Cake.

It took me 1000s of hours reading books and doing labs, making mistakes over and over again until I mastered all the routing protocols for CCNP.

Would you like to be a master of routing too? In a short time without having to read 900 page books or google the answers to your questions and browsing through forums?

I collected all my knowledge and created a single ebook for you that has everything you need to know to become a master of routing.

You will learn all the secrets about BGP, External BGP, authentication and more.

Does this sound interesting to you? Take a look here and let me show you how to Master CCNP ROUTE




BGP MD5 Authentication

Video Solution:

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on


  1. I put both passwords and although the adjacency formed, I keep getting TCP-6-BADAUTH console message for multiple ports :

    Cake(config-router)#do show run | s router bgp 2
    router bgp 2
    no synchronization
    bgp log-neighbor-changes
    neighbor remote-as 1
    neighbor password cisco
    no auto-summary

    Piece(config-router)#do show run | s router bgp 1
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    neighbor remote-as 2
    neighbor password cisco
    no auto-summary
    *Mar 1 00:07:46.683: %TCP-6-BADAUTH: No MD5 digest from to
    *Mar 1 00:07:46.715: %TCP-6-BADAUTH: No MD5 digest from to

  2. solid lab.

    RE: Brian Lenertz comment about %TCP-6-BADAUTH:

    i purposefully established eBGP before configuring MD5.
    even when the correct password was configured, i observed the same thing Brian did with the BADAUTH messages.

    adjusting BGP timers did not affect the error message.
    clearing the BGP session also did not affect the error message.
    however, bouncing the link did resolve the issue.

    i found this link to be good reading.

    Old Behavior
    In previous versions of Cisco IOS software, configuring MD5 authentication for a BGP peering session was generally considered to be difficult because the initial configuration and any subsequent MD5 configuration changes required the BGP neighbor to be reset.

    New Behavior
    This behavior has been changed in current versions of Cisco IOS software. CSCdx23494 introduced a change to MD5 authentication for BGP peering sessions. The BGP peering session does not need to be reset to maintain or establish the peering session for initial configuration or after the MD5 configuration has been changed. However, the configuration must be completed on both the local and remote BGP peer before the BGP hold timer expires. If the hold down timer expires before the MD5 configuration has been completed on both BGP peers, the BGP session will time out.

    When the password has been configured, the MD5 key is applied to the TCP session immediately. If one peer is configured before the other, the TCP segments will be discarded on both the local and remote peers due to an authentication failure. The peer that is configured with the password will print an error message in the console similar to the following:

    00:03:07: %TCP-6-BADAUTH: No MD5 digest from to

    The time period in which the password must changed is typically the life time of a stale BGP session. When the password or MD5 key is configured, incoming tcp segments will only be accepted if the key is known. If the key is unknown on both the remote and local peer, the TCP segments will be dropped, and the BGP session will time out when the holddown timer expires.

    If the BGP session has been preconfigured with a hold time of 0 seconds, no keepalive messages will be sent. The BGP session will stay up until one of the peers, on either side, tries to transmit a message (For example, a prefix update).

    Configuring a new timer value for the holddown timer will only take effect after the session has been reset. So, it is not possible to change the configuration of the holddown timer to avoid resetting the BGP session.

Comments are closed.