neighbor [ip] password [key]
Enables MD5 authentication on a BGP peer session to prevent spoofed TCP resets.
neighbor <ip-address> password <password-string>When to Use This Command
- Securing eBGP sessions with ISPs that require MD5 authentication.
- Protecting BGP sessions from BGP session hijacking attacks.
- Meeting security compliance requirements for internet-facing routers.
- Standard practice on all public eBGP sessions.
Command Examples
Configure MD5 auth between eBGP peers
R1(config)# router bgp 65001
R1(config-router)# neighbor 203.0.113.1 password Cisco123!R1(config-router)# %TCP-6-BADAUTH: No MD5 digest from 203.0.113.1:179 to 10.0.0.1:32145
The warning means the peer sent a packet without MD5 authentication. Once the ISP also configures the same password, the session establishes normally. Mismatched passwords generate this log continuously.
Verify authentication in neighbor detail
R1# show ip bgp neighbors 203.0.113.1 | include authOption flags: nagle, md5
The 'md5' flag confirms authentication is active on this session.
Understanding the Output
No immediate output, but TCP authentication failures generate syslog messages (%TCP-6-BADAUTH). Verify with 'show ip bgp neighbors [ip]' and look for 'md5' in the option flags. The password is stored in plaintext in the running config (or with type 7 encoding with 'service password-encryption'). Never use weak passwords for BGP MD5.
CCNA Exam Tips
CCNA exam tip: Both sides must have the SAME password — a mismatch keeps the session in Active state with MD5 error syslog messages.
CCNA exam tip: MD5 is the only BGP authentication method in classic IOS (BGPsec is a newer standard not tested in CCNA).
CCNA exam tip: The password is case-sensitive.
CCNA exam tip: Changing or removing the password on a live session resets the BGP session.
Common Mistakes
Mistake 1: Case mismatch in passwords — 'Cisco123' and 'cisco123' are different; the session will never establish.
Mistake 2: Configuring password on only one side — generates continual %TCP-6-BADAUTH syslog messages.
Mistake 3: Forgetting that changing the password resets the BGP session, causing a traffic outage.
Related Commands
neighbor [ip] remote-as [asn]
Defines a BGP neighbor (peer) by specifying its IP address and AS number. If the remote AS matches the local AS, this creates an iBGP session; if different, it creates an eBGP session.
router bgp [asn]
Enters BGP router configuration mode and creates a BGP process with the specified autonomous system (AS) number. This is the first command required to configure BGP on a Cisco router.
show ip bgp summary
Displays a summary of the BGP neighbor status and prefix counts, used to quickly verify BGP peering and routing table health.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions