Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring BFD Authentication for RIP

Requirements

No special configuration beyond device initialization is required before configuring this example.

The devices must be running Junos OS Release 9.6 or later.

Overview

Only three steps are needed to configure authentication on a BFD session:

1. Specify the BFD authentication algorithm for the RIP protocol.
2. Associate the authentication keychain with the RIP protocol.
3. Configure the related security authentication keychain.

Figure 1 shows the topology used in this example.

Figure 1: RIP BFD Authentication Network Topology

CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Configure the network interfaces.
   [edit interfaces]user@R1# set fe-1/2/0 unit 1 family inet address 10.0.0.1/30
2. Create the RIP group and add the interface.

   To configure RIP in Junos OS, you must configure a group that contains the interfaces on which RIP is enabled. You do not need to enable RIP on the loopback interface.

   [edit protocols rip group rip-group]user@R1# set neighbor fe-1/2/0.1
3. Create the routing policy to advertise both direct and RIP-learned routes.
   [edit policy-options policy-statement advertise-routes-through-rip term 1]user@R1# set from protocol directuser@R1# set from protocol ripuser@R1# set then accept
4. Apply the routing policy.

   In Junos OS, you can only apply RIP export policies at the group level.

   [edit protocols rip group rip-group]user@R1# set export advertise-routes-through-rip
5. Enable BFD.
   [edit protocols rip group rip-group]user@R1# set bfd-liveness-detection minimum-interval 600
6. Specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use.

   Note: Nonstop active routing is not supported with meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.

   [edit protocols rip group rip-group]user@R1# set bfd-liveness-detection authentication algorithm keyed-md5
7. Specify the keychain to be used to associate BFD sessions on RIP with the unique security authentication keychain attributes.

   The keychain you specify must match a keychain name configured at the [edit security authentication key-chains] hierarchy level.

   The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.

   [edit protocols rip group rip-group]user@R1# set bfd-liveness-detection authentication key-chain bfd-rip
8. (Optional) Specify loose authentication checking if you are transitioning from nonauthenticated sessions to authenticated sessions.
   [edit protocols rip group rip-group]user@R1# set bfd-liveness-detection authentication loose-check
9. Specify the unique security authentication information for BFD sessions:
   • The matching keychain name as specified in Step 7.
   • At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.
   • The secret data used to allow access to the session.
   • The time at which the authentication key becomes active, in the format yyyy-mm-dd.hh:mm:ss.
   [edit security authentication-key-chains key-chain bfd-rip]user@R1# set key 53 secret "$9$d1V2aZGi.fzDiORSeXxDikqmT"user@R1# set key 53 start-time "2012-2-16.12:00:00 -0800"
10. Configure tracing operations to track BFD authentication.
    [edit protocols bfd traceoptions]user@R1# set file bfd-traceuser@R1# set flag all

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show policy-options, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

• Verifying That the BFD Sessions Are Authenticated
• Viewing Extensive Information About the BFD Authentication
• Checking the BFD Trace File

Verifying That the BFD Sessions Are Authenticated

Purpose

Make sure that the BFD sessions are authenticated.

Action

From operational mode, enter the show bfd session detail command.

                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.0.0.2                 Up        fe-1/2/0.1     1.800     0.600        3   
 Client RIP, TX interval 0.600, RX interval 0.600, Authenticate 
 Session up time 01:39:34
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 6, routing table index 53

1 sessions, 1 clients
Cumulative transmit rate 1.7 pps, cumulative receive rate 1.7 pps

Meaning

Authenticate is displayed to indicate that BFD authentication is configured.

Viewing Extensive Information About the BFD Authentication

Purpose

View the keychain name, the authentication algorithm and mode for each client in the session, and the BFD authentication configuration status.

Action

From operational mode, enter the show bfd session extensive command.

                                                  Detect   Transmit
Address                  State     Interface      Time     Interval  Multiplier
10.0.0.2                 Up        fe-1/2/0.1     1.800     0.600        3   
 Client RIP, TX interval 0.600, RX interval 0.600, Authenticate 
        keychain bfd-rip, algo keyed-md5, mode loose
 Session up time 01:46:29
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 6, routing table index 53
 Min async interval 0.600, min slow interval 1.000
 Adaptive async TX interval 0.600, RX interval 0.600
 Local min TX interval 0.600, minimum RX interval 0.600, multiplier 3
 Remote min TX interval 0.600, min RX interval 0.600, multiplier 3
 Local discriminator 225, remote discriminator 226
 Echo mode disabled/inactive
 Authentication enabled/active, keychain bfd-rip, algo keyed-md5, mode loose
  Session ID: 0x300501

1 sessions, 1 clients
Cumulative transmit rate 1.7 pps, cumulative receive rate 1.7 pps

Meaning

The output shows the keychain name, the authentication algorithm and mode for the client in the session, and the BFD authentication configuration status.

Checking the BFD Trace File

Purpose

Use tracing operations to verify that BFD packets are being exchanged.

Action

From operational mode, enter the show log command.

Feb 16 10:26:32 PPM Trace: BFD periodic xmit to 10.0.0.2 (IFL 124, rtbl 53, single-hop port)
Feb 16 10:26:32 Received Downstream TraceMsg (24) len 86:
Feb 16 10:26:32    IfIndex (3) len 4: 0
Feb 16 10:26:32    Protocol (1) len 1: BFD
Feb 16 10:26:32    Data (9) len 61: (hex) 42 46 44 20 70 61 63 6b 65 74 20 66 72 6f 6d 20 31 30 2e
Feb 16 10:26:32 PPM Trace: BFD packet from 10.0.0.1 (IFL 73, rtbl 56, ttl 255) absorbed
Feb 16 10:26:32 Received Downstream TraceMsg (24) len 60:
Feb 16 10:26:32    IfIndex (3) len 4: 0
Feb 16 10:26:32    Protocol (1) len 1: BFD
Feb 16 10:26:32    Data (9) len 35: (hex) 42 46 44 20 70 65 72 69 6f 64 69 63 20 78 6d 69 74 20 6f
...

Meaning

The output shows the normal functioning of BFD.