Switching

last person joined: 18 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  security authentication-key-chains Not Present on EX?

    Posted 07-11-2014 21:08

    I'm trying to get BGP authentication set up on an EX4500/4200 stack. I'm looking at this simple example,

     

    http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/bgp-hitless-key-authentication.html

     

    However, I don't even see the "set security authentication-key-chans" on my EX:

     

    cjc@bp-lab-exstack# set security ?
    Possible completions:
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > certificates X.509 certificate configuration
    > ipsec IPSec configuration
    > pki PKI service configuration
    > ssh-known-hosts SSH known host list
    > traceoptions Trace options for IPSec key management
    {master:1}[edit]
    cjc@bp-lab-exstack#
    

     

    How to do BGP MD5 authentication on an EX?



  • 2.  RE: security authentication-key-chains Not Present on EX?

    Posted 07-12-2014 01:25

    Hello there,

     


    @cosx wrote:

     

    How to do BGP MD5 authentication on an EX?



    My answer

     

    http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/configuration-statement/authentication-key-edit-protocols-bgp.html

     

    Statement introduced in Junos OS Release 9.0 for EX Series switches.

     HTH

    Thanks

    Alex



  • 3.  RE: security authentication-key-chains Not Present on EX?

    Posted 07-13-2014 01:10

    That information again maybe the result of copy paste error. I have not seen that heirarchy in teh EX switch 4200 Series. BTW, Arsinieve, have you been able to get it to work on any of the EX series switches? And it is not available in v12.2.R1.8. I am willing to bet it is available in the MX and M series.



  • 4.  RE: security authentication-key-chains Not Present on EX?

     
    Posted 07-13-2014 08:05

    As far as I can tell, I see it in my EX as below.

     

    {master:0}[edit]
    ckim@wf-pacman-sw3# run show version 
    fpc0:
    --------------------------------------------------------------------------
    Hostname: wf-pacman-sw3
    Model: ex4200-48t
    JUNOS Base OS boot [12.3R2.5]
    JUNOS Base OS Software Suite [12.3R2.5]
    JUNOS Kernel Software Suite [12.3R2.5]
    JUNOS Crypto Software Suite [12.3R2.5]
    JUNOS Online Documentation [12.3R2.5]
    JUNOS Enterprise Software Suite [12.3R2.5]
    JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R2.5]
    JUNOS Routing Software Suite [12.3R2.5]
    JUNOS Web Management [12.3R2.5]
    JUNOS FIPS mode utilities [12.3R2.5]
    
    {master:0}[edit]
    ckim@wf-pacman-sw3# set protocols bgp authentication-key ?  
    Possible completions:
      <authentication-key>  MD5 authentication key
    {master:0}[edit]
    ckim@wf-pacman-sw3# set protocols bgp authentication-key  

     /Charlie

     



  • 5.  RE: security authentication-key-chains Not Present on EX?
    Best Answer

    Posted 07-13-2014 18:13

    I think I see what is going on here. I had seen the "authentication-key" statement in the "protocols bgp" hierarchy already, but when I had tried to use it,

     

    {master:1}[edit routing-instances centuryLink protocols bgp]
    cjc@scea-bp-lab-exstack# show 
    local-address 10.113.33.165;
    authentication-key "$9$M9EWNVg4JDH.BI"; ## SECRET-DATA
    ##
    ## Warning: May not be configured with authentication-key
    ##
    authentication-algorithm md5;
    local-as 65009;
    group SCEA {
        import scea-import;
        export scea-default;
        peer-as 64989;
        neighbor 10.113.33.166;
    }
    

     Which made me go looking for the "security authentication-key-chains" stanza.

     

    However, playing around a bit more, it looks like, it's a conflict between the "authentication-algorithm" and "authentication-key" statements. If you just supply, "authentication-key" with no "authentication-algorithm," the configuration is accepted and authentication between the peers works.

     

    Be nice if in addition to losing the "security authentication-key-chains," they took out a useless dependency like the "authentication-algorithm" statement to match. Lot less confusing.



  • 6.  RE: security authentication-key-chains Not Present on EX?

    Posted 11-23-2015 13:21

    ..I saw the same issue for SRX 5400 too.....so I just removed that authentication-algorithm and issue resolved!!!