Hi Piotr When we use ttl security, bgp sends ttl starting with 255 right? How come it will be "2"?
With regards Kings On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > The packet sourced from the router will NOT decrement TTL, hence in this > case the eBGP packet will be sourced with TTL=2. The receiving router will > decrement TTL by 1 when receiving the packet and route it further to the > loopback interface. The packet MUST have TTL=>1 to be accepted as the > general networking rule says: "drop packets with TTL=0 and send an ICMP > error packet back". > > HTH, > Piotr > > > 2010/5/21 Kingsley Charles <[email protected]> > >> Hi Tyson >> >> Though a loopback, since the packet comes from the same router, will the >> router, decrement the ttl? >> >> Also when it reaches the peer router, it goes to the control plane >> directly, ttl won't be also decremented on the peer. ttl will be decremented >> only after the routing right? >> >> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >> peer, it would be still 255. >> >> I think, I am really missing something here. >> >> >> Can you please explain, with this configuration what will be the ttl value >> be when the bgp packet reaches the peer and how was it arrived at? >> >> >> >> With regards >> Kings >> >> >> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]> wrote: >> >>> With one, which is what it is by default, it would be 254. Remember >>> loopbacks are 1 hop away so you need the ttl to be 2. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>> >>> Technical Instructor - IPexpert, Inc. >>> >>> Mailto: [email protected] >>> >>> Telephone: +1.810.326.1444, ext. 208 >>> >>> Live Assistance, Please visit: www.ipexpert.com/chat >>> >>> eFax: +1.810.454.0130 >>> >>> >>> >>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>> training locations throughout the United States, Europe, South Asia and >>> Australia. Be sure to visit our online communities at >>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Kingsley >>> Charles >>> *Sent:* Thursday, May 20, 2010 3:49 AM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>> >>> >>> >>> Hi all >>> >>> Router A and B are directly connected and the bgp are peered to >>> loopbacks. >>> >>> To make it work, we need to configure *ebgp-multihop 2 *on both* *sides. >>> >>> For me here it works with ttl-security hops 2. >>> >>> I thought it should work with ttl-security hops 1. >>> >>> With this configuration, what is the ttl value in the bgp packet sent to >>> each other. >>> >>> Will it be 254 or 253? >>> >>> >>> *router A* >>> >>> router bgp 4 >>> no synchronization >>> bgp log-neighbor-changes >>> neighbor 150.1.3.3 remote-as 7 >>> neighbor 150.1.3.3 ttl-security hops 2 >>> neighbor 150.1.3.3 update-source Loopback0 >>> no auto-summary >>> >>> interface FastEthernet0/0 >>> ip address 136.1.0.2 255.255.255.0 >>> ip flow ingress >>> duplex auto >>> speed auto >>> >>> interface Loopback0 >>> ip address 150.1.2.2 255.255.255.0 >>> >>> >>> sh ip bgp neighbors o/p >>> >>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>> Local host: 150.1.2.2, Local port: 49810 >>> >>> *Router B* >>> >>> router bgp 7 >>> no synchronization >>> bgp log-neighbor-changes >>> neighbor 150.1.2.2 remote-as 4 >>> neighbor 150.1.2.2 ttl-security hops 2 >>> neighbor 150.1.2.2 update-source Loopback0 >>> no auto-summary >>> >>> interface FastEthernet0/0 >>> ip address 136.1.0.3 255.255.255.0 >>> duplex auto >>> speed auto >>> >>> interface Loopback0 >>> ip address 150.1.3.3 255.255.255.0 >>> >>> sh ip bgp neighbors o/p >>> >>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>> Local host: 150.1.3.3, Local port: 179 >>> >>> >>> *Snippet of netflow o/p on router A* >>> >>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>> 12 6 >>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>> 57 0.2 >>> *Min TTL: 255 * Max TTL: 255 >>> >>> >>> The bgp peers are sending a ttl of 255. But then why is it working with >>> "ttl-security hops 2" only and not with "ttl-security hops 1" >>> >>> With regards >>> Kings >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
