BGPRouter Config

neighbor [ip] password [key]

Enables MD5 authentication on a BGP peer session to prevent spoofed TCP resets.

Syntax·Router Config
neighbor <ip-address> password <password-string>

When to Use This Command

  • Securing eBGP sessions with ISPs that require MD5 authentication.
  • Protecting BGP sessions from BGP session hijacking attacks.
  • Meeting security compliance requirements for internet-facing routers.
  • Standard practice on all public eBGP sessions.

Command Examples

Configure MD5 auth between eBGP peers

R1(config)# router bgp 65001 R1(config-router)# neighbor 203.0.113.1 password Cisco123!
R1(config-router)#
%TCP-6-BADAUTH: No MD5 digest from 203.0.113.1:179 to 10.0.0.1:32145

The warning means the peer sent a packet without MD5 authentication. Once the ISP also configures the same password, the session establishes normally. Mismatched passwords generate this log continuously.

Verify authentication in neighbor detail

R1# show ip bgp neighbors 203.0.113.1 | include auth
  Option flags: nagle, md5

The 'md5' flag confirms authentication is active on this session.

Understanding the Output

No immediate output, but TCP authentication failures generate syslog messages (%TCP-6-BADAUTH). Verify with 'show ip bgp neighbors [ip]' and look for 'md5' in the option flags. The password is stored in plaintext in the running config (or with type 7 encoding with 'service password-encryption'). Never use weak passwords for BGP MD5.

CCNA Exam Tips

1.

CCNA exam tip: Both sides must have the SAME password — a mismatch keeps the session in Active state with MD5 error syslog messages.

2.

CCNA exam tip: MD5 is the only BGP authentication method in classic IOS (BGPsec is a newer standard not tested in CCNA).

3.

CCNA exam tip: The password is case-sensitive.

4.

CCNA exam tip: Changing or removing the password on a live session resets the BGP session.

Common Mistakes

Mistake 1: Case mismatch in passwords — 'Cisco123' and 'cisco123' are different; the session will never establish.

Mistake 2: Configuring password on only one side — generates continual %TCP-6-BADAUTH syslog messages.

Mistake 3: Forgetting that changing the password resets the BGP session, causing a traffic outage.

Related Commands

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions