With one, which is what it is by default, it would be 254. Remember loopbacks are 1 hop away so you need the ttl to be 2.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Thursday, May 20, 2010 3:49 AM To: [email protected] Subject: [OSL | CCIE_Security] bgp with ttl security Hi all Router A and B are directly connected and the bgp are peered to loopbacks. To make it work, we need to configure ebgp-multihop 2 on both sides. For me here it works with ttl-security hops 2. I thought it should work with ttl-security hops 1. With this configuration, what is the ttl value in the bgp packet sent to each other. Will it be 254 or 253? router A router bgp 4 no synchronization bgp log-neighbor-changes neighbor 150.1.3.3 remote-as 7 neighbor 150.1.3.3 ttl-security hops 2 neighbor 150.1.3.3 update-source Loopback0 no auto-summary interface FastEthernet0/0 ip address 136.1.0.2 255.255.255.0 ip flow ingress duplex auto speed auto interface Loopback0 ip address 150.1.2.2 255.255.255.0 sh ip bgp neighbors o/p Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 Local host: 150.1.2.2, Local port: 49810 Router B router bgp 7 no synchronization bgp log-neighbor-changes neighbor 150.1.2.2 remote-as 4 neighbor 150.1.2.2 ttl-security hops 2 neighbor 150.1.2.2 update-source Loopback0 no auto-summary interface FastEthernet0/0 ip address 136.1.0.3 255.255.255.0 duplex auto speed auto interface Loopback0 ip address 150.1.3.3 255.255.255.0 sh ip bgp neighbors o/p Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 Local host: 150.1.3.3, Local port: 179 Snippet of netflow o/p on router A Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 12 6 00B3 /0 0 E2FA /0 0 0.0.0.0 57 0.2 Min TTL: 255 Max TTL: 255 The bgp peers are sending a ttl of 255. But then why is it working with "ttl-security hops 2" only and not with "ttl-security hops 1" With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
