And last, but not the least - my testing was done on 15.4(1)S. -- Marko Milivojevic - CCIE #18427 (SP R&S) Senior CCIE Instructor / Managing Partner - iPexpert :: Free Video Training: http://youtube.com/iPexpertInc :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444
On Wed, Feb 26, 2014 at 12:48 PM, Marko Milivojevic <[email protected]>wrote: > Sorry, a copy/paste went wrong there for the configuration of BGP on R2. > It was configured with AS 65002, I just couldn't be bothered to copy twice > (mis)edited the R2 portion when I was composing the message. Here's the > correct configuration: > > R2: > router bgp 65002 > neighbor 192.168.12.1 remote-as 65001 > neighbor 192.168.12.1 ttl-security hops 2 > ! > address-family ipv4 > neighbor 192.168.12.1 activate > ! > > Proof is below :-) > > ------------------------------8<------------------------------ > Frame 6: 111 bytes on wire (888 bits), 111 bytes captured (888 bits) > Ethernet II, Src: 00:50:56:92:37:3d (00:50:56:92:37:3d), Dst: > 00:0c:29:84:d3:2e (00:0c:29:84:d3:2e) > Internet Protocol Version 4, Src: 192.168.12.2 (192.168.12.2), Dst: > 192.168.12.1 (192.168.12.1) > Transmission Control Protocol, Src Port: bgp (179), Dst Port: 51300 > (51300), Seq: 1, Ack: 58, Len: 57 > Border Gateway Protocol - OPEN Message > Marker: ffffffffffffffffffffffffffffffff > Length: 57 > Type: OPEN Message (1) > Version: 4 > My AS: 65002 > Hold Time: 180 > BGP Identifier: 192.168.12.2 (192.168.12.2) > Optional Parameters Length: 28 > Optional Parameters > ------------------------------8<------------------------------ > > -- > Marko Milivojevic - CCIE #18427 (SP R&S) > Senior CCIE Instructor / Managing Partner - iPexpert > :: Free Video Training: http://youtube.com/iPexpertInc > :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 > :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 > > > > > On Wed, Feb 26, 2014 at 12:41 PM, Marko Milivojevic > <[email protected]>wrote: > >> I can confirm (and so can you in the lab environment). >> >> When configured with the ttl-security, several things are important for >> the eBGP neighbors: >> >> 1) The TTL is set to 255, instead of 1 (default) >> 2) TTL security feature needs to be turned on on both sides >> 3) TTL of the incoming packet will be matched against the configured hop >> count using a simple check: (255-Packet_TTL) <= hops >> >> Let's take a look. >> >> (AS65001)R1[Gi1]---{192.168.12.0/24}---[Gi1]R2(AS65002)<http://192.168.12.0/24%7D---%5BGi1%5DR2(AS65002)> >> >> >> R1: >> interface GigabitEthernet1 >> ip address 192.168.12.1 255.255.255.0 >> ! >> router bgp 65001 >> neighbor 192.168.12.2 remote-as 65002 >> neighbor 192.168.12.2 ttl-security hops 2 >> ! >> address-family ipv4 >> neighbor 192.168.12.2 activate >> ! >> >> R2: >> interface GigabitEthernet1 >> ip address 192.168.12.2 255.255.255.0 >> ! >> router bgp 65001 >> neighbor 192.168.12.1 remote-as 65001 >> neighbor 192.168.12.1 ttl-security hops 2 >> ! >> address-family ipv4 >> neighbor 192.168.12.1 activate >> ! >> >> R1: >> R1#show bgp ipv4 unicast summary >> BGP router identifier 192.168.12.1, local AS number 65001 >> BGP table version is 1, main routing table version 1 >> >> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down >> State/PfxRcd >> 192.168.12.2 4 65002 7 7 1 0 0 >> 00:04:15 0 >> >> So, the session is up, even though they're directly connected (proving >> the point of the TTL statement above). But what WAS the actual TTL used on >> the wire? See for yourself - this is the SYN packet for that session. >> >> Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) >> Ethernet II, Src: 00:0c:29:84:d3:2e (00:0c:29:84:d3:2e), Dst: >> 00:50:56:92:37:3d (00:50:56:92:37:3d) >> Internet Protocol Version 4, Src: 192.168.12.1 (192.168.12.1), Dst: >> 192.168.12.2 (192.168.12.2) >> Version: 4 >> Header length: 20 bytes >> Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; >> ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) >> Total Length: 44 >> Identification: 0xa870 (43120) >> Flags: 0x02 (Don't Fragment) >> Fragment offset: 0 >> Time to live: 255 >> Protocol: TCP (6) >> Header checksum: 0x3947 [correct] >> Source: 192.168.12.1 (192.168.12.1) >> Destination: 192.168.12.2 (192.168.12.2) >> Transmission Control Protocol, Src Port: 51300 (51300), Dst Port: bgp >> (179), Seq: 0, Len: 0 >> >> -- >> Marko Milivojevic - CCIE #18427 (SP R&S) >> Senior CCIE Instructor / Managing Partner - iPexpert >> :: Free Video Training: http://youtube.com/iPexpertInc >> :: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427 >> :: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444 >> >> >> >> On Wed, Feb 26, 2014 at 12:19 PM, Edgar Díaz Orellana < >> [email protected]> wrote: >> >>> In fact using an loopback interface is kind of had a second hop, 1 of >>> them is external the other is internal thru control-plane. >>> >>> That's why need to use 2 hops if you had neighbors peering thru loopbacks >>> >>> Sent from my iPhone >>> >>> > On 26-02-2014, at 14:09, marc abel <[email protected]> wrote: >>> > >>> > Are you peering between loopbacks? In this case you would need to do >>> > ttl-security hops 2. Your neighbor is going to decrement 1 ttl before >>> > sending and then local router would decrement 1 before delivering to >>> > loopback interface. This probably wouldn't show up in your traceroute, >>> but >>> > you would have a ttl of 253. >>> > >>> > >>> > On Wed, Feb 26, 2014 at 10:22 AM, Christopher Lemish < >>> > [email protected]> wrote: >>> > >>> >> Guys, >>> >> >>> >> I just turned up a BGP session for a customer (doing BGP Failover for >>> >> them). I am using the "neigh ttl-security hops" cmd. A traceroute >>> >> confirms it is 1 hop away. The Cisco documentation explains that if >>> a TTL >>> >> is received that equals the TTL value expected or is higher, the >>> router >>> >> will accept that packet. >>> >> >>> >> I was troubleshooting it quickly and the cmd "neigh x.x.x.x >>> ttl-security >>> >> hops 254" is the only hop count that maintains the BGP session. I >>> thought >>> >> I recall that the ttl-security cmd "must exactly" match the number of >>> hops >>> >> away from one of Joe's videos. But, I thought we could use the "neigh >>> >> x.x.x.x ttl-security hops 1" which means it is 1 hop away and would >>> accept >>> >> a TTL of 254 or higher, indicating that it is 1 hop away. >>> >> >>> >> (TTL=255)-->(TTL=254) >>> >> PE--------CE >>> >> >>> >> The IOS version of this 3925 is the following: >>> >> Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version >>> >> 15.2(4)M5, RELEASE SOFTWARE (fc2) >>> >> >>> >> Thank you, >>> >> Chris >>> >> >>> >> _______________________________________________ >>> >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos >>> :: >>> >> >>> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> > >>> > >>> > >>> > -- >>> > Marc Abel >>> > CCIE #35470 >>> > (Routing and Switching) >>> > _______________________________________________ >>> > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos >>> :: >>> > >>> > iPexpert on YouTube: www.youtube.com/ipexpertinc >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> >> >> > _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
