Kings, Below is the message I sent you a month ago about difference between ttl-security and ebgp-multihop commands.
---- Those commands are mutually exclusive. You can easily check what TTL router expects and what TTL it's using when sending BGP packets with a command: show ip bgp neighbors 10.20.30.40 | inc TTL When using ttl-security command the router expects TTL for incoming packets to be 255 minus ttl-security hop value. This also sets TTL for outgoing packets to 255 (like ebgp-multihop command without any number). As we know two routers are at the same hop count distance from each other, so 255 will be 250 (255-5) on the far end. In contrast to that, ebgp-multihop command sets TTL for outgoing packets (default is 1, so EBGP peers must be on the same subnet to establish adjacency). This is also fine, but it does not protect peer in case an attacker sets fake TTL in the packet and send it to out - lots of such packets causing DOS attack, as the router must process each packet before it drops it. ----- HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/2/21 Kingsley Charles <[email protected]> > Hi all > > I have two BGP peers connected as following: > > > L0 (3.3.3.3) R1 F0/0 (10.20.30.40) ------------------- (10.20.30.44) R2 L0 > (4.4.4.4) > > > R1 > > neighbor 4.4.4.4 remote-as 3 > neigbhor 4.4.4.4 update-source l0 > > > R2 > > neighbor 3.3.3.3 remote-as 4 > neigbhor 3.3.3.3 update-source l0 > > > The BGP session comes up, when I configure either bgp neigbhor *ttl-security > hop 2* or neighbor *ebgp-multihop 2* or neigbhor *disable-conected-check*. > > > > *ebgp-multihop 2 * > ** > By default, BGP sends the packet with TTL 255 and is 253 when it reaches > the loopback . *ebgp-multihop 2 *accepts bgp connection that can be 2 hops > away. > > > *disable-conected-check* > ** > This command removes the check of directly connected for which TTL = 254. > > ** > *ttl-security hop 2* > ** > *Definition from cisco * > > TTL Security Check protects the eBGP neighbor session by comparing the > value in the TTL field of received IP packets against a hop count that is > configured locally for each eBGP neighbor session. If the value in the TTL > field of the incoming IP packet is greater than or equal to the locally > configured value, the IP packet is accepted and processed normally. If the > TTL value in the IP packet is less than the locally configured value, the > packet is silently discarded and no ICMP message is generated. This is > designed behavior; a response to a forged packet is unnecessary. > > My understading is that BGP packet comes with ttl of 255 and since 255 > 2, > BGP is allowed to establish. I think, I am wromg here. > > > > Can someone please explain, the three options. > > > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
