Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring BFD Authentication for PIM

  1. Specify the BFD authentication algorithm for the PIM protocol.

  2. Associate the authentication keychain with the PIM protocol.

  3. Configure the related security authentication keychain.

Beginning with Junos OS Release 9.6, you can configure authentication for Bidirectional Forwarding Detection (BFD) sessions running over Protocol Independent Multicast (PIM). Routing instances are also supported.

The following sections provide instructions for configuring and viewing BFD authentication on PIM:

Configuring BFD Authentication Parameters

BFD authentication is only supported in the Canada and United States version of the Junos OS image and is not available in the export version.

To configure BFD authentication:

  1. Specify the algorithm (keyed-md5, keyed-sha-1, meticulous-keyed-md5, meticulous-keyed-sha-1, or simple-password) to use for BFD authentication on a PIM route or routing instance.
    Note:

    Nonstop active routing (NSR) is not supported with the meticulous-keyed-md5 and meticulous-keyed-sha-1 authentication algorithms. BFD sessions using these algorithms might go down after a switchover.

  2. Specify the keychain to be used to associate BFD sessions on the specified PIM route or routing instance with the unique security authentication keychain attributes.

    The keychain you specify must match the keychain name configured at the [edit security authentication key-chains] hierarchy level.

    Note:

    The algorithm and keychain must be configured on both ends of the BFD session, and they must match. Any mismatch in configuration prevents the BFD session from being created.

  3. Specify the unique security authentication information for BFD sessions:
    • The matching keychain name as specified in Step 2.

    • At least one key, a unique integer between 0 and 63. Creating multiple keys allows multiple clients to use the BFD session.

    • The secret data used to allow access to the session.

    • The time at which the authentication key becomes active, in the format yyyy-mm-dd.hh:mm:ss.

    Note:

    Security Authentication Keychain is not supported on SRX Series Firewalls.

  4. (Optional) Specify loose authentication checking if you are transitioning from nonauthenticated sessions to authenticated sessions.
  5. (Optional) View your configuration by using the show bfd session detail or show bfd session extensive command.
  6. Repeat these steps to configure the other end of the BFD session.

Viewing Authentication Information for BFD Sessions

You can view the existing BFD authentication configuration by using the show bfd session detail and show bfd session extensive commands.

The following example shows BFD authentication configured for the ge-0/1/5 interface. It specifies the keyed SHA-1 authentication algorithm and a keychain name of bfd-pim. The authentication keychain is configured with two keys. Key 1 contains the secret data “$ABC123/” and a start time of June 1, 2009, at 9:46:02 AM PST. Key 2 contains the secret data “$ABC123/” and a start time of June 1, 2009, at 3:29:20 PM PST.

If you commit these updates to your configuration, you see output similar to the following example. In the output for the show bfd session detail command, Authenticate is displayed to indicate that BFD authentication is configured. For more information about the configuration, use the show bfd session extensive command. The output for this command provides the keychain name, the authentication algorithm and mode for each client in the session, and the overall BFD authentication configuration status, keychain name, and authentication algorithm and mode.

show bfd session detail

show bfd session extensive

Release History Table
Release
Description
9.6
Beginning with Junos OS Release 9.6, you can configure authentication for Bidirectional Forwarding Detection (BFD) sessions running over Protocol Independent Multicast (PIM). Routing instances are also supported.