Enabling keychain authentication for BGP peers

Keychain authentication enhances the security of TCP connection establishment between BGP peers. It allows BGP peers to establish TCP connections only when the following conditions are met:

Keychain authentication is enabled on both BGP peers.
The keys used by the BGP peers have the same authentication algorithm and key string.

Before configuring keychain authentication, make sure the specified keychain has been created.

For more information about keychains, see Security Configuration Guide.

To enable keychain authentication for BGP peers (IPv4 unicast/multicast address family):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view of BGP-VPN instance view.	Enter BGP instance view:bgp as-number [ instance instance-name ] Enter BGP-VPN instance view: bgp as-number [ instance instance-name ] ip vpn-instance vpn-instance-name	N/A
3. Enable keychain authentication for a BGP peer or peer group.	peer { group-name \| ip-address [ mask-length ] } keychain keychain-name	By default, keychain authentication is disabled.

To enable keychain authentication for BGP peers (IPv6 unicast/multicast address family):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP instance view or BGP-VPN instance view.	Enter BGP instance view:bgp as-number [ instance instance-name ] Enter BGP-VPN instance view: bgp as-number [ instance instance-name ] ip vpn-instance vpn-instance-name	N/A
3. Enable keychain authentication for a BGP peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } keychain keychain-name	By default, keychain authentication is disabled.

prev	up	next
Enabling MD5 authentication for BGP peers	home	Configuring BGP load balancing