Cisco Cisco IOS Software Release 12.2(16)B
95
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.2 B
OL-1907-12
Important Notes
Important Notes
SNMP Version 1 BGP4-MIB Limitations
You may notice incorrect BGP trap OID output when using the SNMP version 1 BGP4-MIB that is available
for download at
for download at
. When a router sends out BGP traps
(notifications) about state changes on an SNMP version 1 monitored BGP peer, the enterprise OID is
incorrectly displayed as .1.3.6.1.2.1.15 (bgp) instead of .1.3.6.1.2.1.15.7 (bgpTraps). The problem is not due
to any error with Cisco IOS software. This problem occurs because the BGP4-MIB does not follow RFC 1908
rules regarding version 1 and version 2 trap compliance. This MIB is controlled by IANA under the guidance
of the IETF, and work is currently in progress by the IETF to replace this MIB with a new version that
represents the current state of the BGP protocol. In the meantime, we recommend that you use the SNMP
version 2 BGP4-MIB or the CISCO-BGP4-MIB to avoid an incorrect trap OID.
incorrectly displayed as .1.3.6.1.2.1.15 (bgp) instead of .1.3.6.1.2.1.15.7 (bgpTraps). The problem is not due
to any error with Cisco IOS software. This problem occurs because the BGP4-MIB does not follow RFC 1908
rules regarding version 1 and version 2 trap compliance. This MIB is controlled by IANA under the guidance
of the IETF, and work is currently in progress by the IETF to replace this MIB with a new version that
represents the current state of the BGP protocol. In the meantime, we recommend that you use the SNMP
version 2 BGP4-MIB or the CISCO-BGP4-MIB to avoid an incorrect trap OID.
Configuring MD5 Authentication for BGP Peering Sessions
This section provides general information about deploying MD5 authentication for a BGP session. You
can configure MD5 authentication between two BGP peers, meaning that each segment sent on the TCP
connection between the peers is verified. MD5 authentication must be configured with the same
password on both BGP peers; otherwise, the connection between them will not be made. Configuring
MD5 authentication causes the Cisco IOS software to generate and check the MD5 digest of every
segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, then
an error message will be displayed in the console.
can configure MD5 authentication between two BGP peers, meaning that each segment sent on the TCP
connection between the peers is verified. MD5 authentication must be configured with the same
password on both BGP peers; otherwise, the connection between them will not be made. Configuring
MD5 authentication causes the Cisco IOS software to generate and check the MD5 digest of every
segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, then
an error message will be displayed in the console.
Old Behavior
In previous versions of Cisco IOS software, configuring MD5 authentication for a BGP peering session
was generally considered to be difficult because the initial configuration and any subsequent MD5
configuration changes required the BGP neighbor to be reset.
was generally considered to be difficult because the initial configuration and any subsequent MD5
configuration changes required the BGP neighbor to be reset.
New Behavior
This behavior has been changed in current versions of Cisco IOS software. CSCdx23494 (integrated in
Cisco IOS release 12.2[15]B) introduced a change to MD5 authentication for BGP peering sessions. The
BGP peering session does not need to be reset to maintain or establish the peering session for initial
configuration or after the MD5 configuration has been changed. However, the configuration must be
completed on both the local and remote BGP peer before the BGP hold timer expires. If the hold down
timer expires before the MD5 configuration has been completed on both BGP peers, the BGP session
will time out.
Cisco IOS release 12.2[15]B) introduced a change to MD5 authentication for BGP peering sessions. The
BGP peering session does not need to be reset to maintain or establish the peering session for initial
configuration or after the MD5 configuration has been changed. However, the configuration must be
completed on both the local and remote BGP peer before the BGP hold timer expires. If the hold down
timer expires before the MD5 configuration has been completed on both BGP peers, the BGP session
will time out.
The following example enables the authentication feature between this router and the BGP neighbor at
10.108.1.1. The password that must also be configured for the neighbor is bla4u00=2nkq. The remote
peer must be configured before the holddown timer expires.
10.108.1.1. The password that must also be configured for the neighbor is bla4u00=2nkq. The remote
peer must be configured before the holddown timer expires.
router bgp 109
neighbor 10.108.1.1 password bla4u00=2nkq