Kings, The packet sourced from the router will NOT decrement TTL, hence in this case the eBGP packet will be sourced with TTL=2. The receiving router will decrement TTL by 1 when receiving the packet and route it further to the loopback interface. The packet MUST have TTL=>1 to be accepted as the general networking rule says: "drop packets with TTL=0 and send an ICMP error packet back".
HTH, Piotr 2010/5/21 Kingsley Charles <[email protected]> > Hi Tyson > > Though a loopback, since the packet comes from the same router, will the > router, decrement the ttl? > > Also when it reaches the peer router, it goes to the control plane > directly, ttl won't be also decremented on the peer. ttl will be decremented > only after the routing right? > > Hence, if a ttl of 225 is sent from router A in the bgp packet to the peer, > it would be still 255. > > I think, I am really missing something here. > > > Can you please explain, with this configuration what will be the ttl value > be when the bgp packet reaches the peer and how was it arrived at? > > > > With regards > Kings > > > On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]> wrote: > >> With one, which is what it is by default, it would be 254. Remember >> loopbacks are 1 hop away so you need the ttl to be 2. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Thursday, May 20, 2010 3:49 AM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] bgp with ttl security >> >> >> >> Hi all >> >> Router A and B are directly connected and the bgp are peered to loopbacks. >> >> To make it work, we need to configure *ebgp-multihop 2 *on both* *sides. >> >> For me here it works with ttl-security hops 2. >> >> I thought it should work with ttl-security hops 1. >> >> With this configuration, what is the ttl value in the bgp packet sent to >> each other. >> >> Will it be 254 or 253? >> >> >> *router A* >> >> router bgp 4 >> no synchronization >> bgp log-neighbor-changes >> neighbor 150.1.3.3 remote-as 7 >> neighbor 150.1.3.3 ttl-security hops 2 >> neighbor 150.1.3.3 update-source Loopback0 >> no auto-summary >> >> interface FastEthernet0/0 >> ip address 136.1.0.2 255.255.255.0 >> ip flow ingress >> duplex auto >> speed auto >> >> interface Loopback0 >> ip address 150.1.2.2 255.255.255.0 >> >> >> sh ip bgp neighbors o/p >> >> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >> Local host: 150.1.2.2, Local port: 49810 >> >> *Router B* >> >> router bgp 7 >> no synchronization >> bgp log-neighbor-changes >> neighbor 150.1.2.2 remote-as 4 >> neighbor 150.1.2.2 ttl-security hops 2 >> neighbor 150.1.2.2 update-source Loopback0 >> no auto-summary >> >> interface FastEthernet0/0 >> ip address 136.1.0.3 255.255.255.0 >> duplex auto >> speed auto >> >> interface Loopback0 >> ip address 150.1.3.3 255.255.255.0 >> >> sh ip bgp neighbors o/p >> >> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >> Local host: 150.1.3.3, Local port: 179 >> >> >> *Snippet of netflow o/p on router A* >> >> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >> 12 6 >> 00B3 /0 0 E2FA /0 0 0.0.0.0 >> 57 0.2 >> *Min TTL: 255 * Max TTL: 255 >> >> >> The bgp peers are sending a ttl of 255. But then why is it working with >> "ttl-security hops 2" only and not with "ttl-security hops 1" >> >> With regards >> Kings >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
