I described it when you use ebgp-multihop 2. If it comes to ttl-security the bgp packet will have TTL=255 and receiving router expects the TTL equal or higher than configured ttl-security value.
If the receiving router sees TTL<253 it silently discards the packet. HTH, Piotr 2010/5/21 Kingsley Charles <[email protected]> > Hi Piotr > > When we use ttl security, bgp sends ttl starting with 255 right? How come > it will be "2"? > > > With regards > Kings > > > On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> The packet sourced from the router will NOT decrement TTL, hence in this >> case the eBGP packet will be sourced with TTL=2. The receiving router will >> decrement TTL by 1 when receiving the packet and route it further to the >> loopback interface. The packet MUST have TTL=>1 to be accepted as the >> general networking rule says: "drop packets with TTL=0 and send an ICMP >> error packet back". >> >> HTH, >> Piotr >> >> >> 2010/5/21 Kingsley Charles <[email protected]> >> >>> Hi Tyson >>> >>> Though a loopback, since the packet comes from the same router, will the >>> router, decrement the ttl? >>> >>> Also when it reaches the peer router, it goes to the control plane >>> directly, ttl won't be also decremented on the peer. ttl will be decremented >>> only after the routing right? >>> >>> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >>> peer, it would be still 255. >>> >>> I think, I am really missing something here. >>> >>> >>> Can you please explain, with this configuration what will be the ttl >>> value be when the bgp packet reaches the peer and how was it arrived at? >>> >>> >>> >>> With regards >>> Kings >>> >>> >>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]>wrote: >>> >>>> With one, which is what it is by default, it would be 254. Remember >>>> loopbacks are 1 hop away so you need the ttl to be 2. >>>> >>>> >>>> >>>> Regards, >>>> >>>> >>>> >>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>> >>>> Technical Instructor - IPexpert, Inc. >>>> >>>> Mailto: [email protected] >>>> >>>> Telephone: +1.810.326.1444, ext. 208 >>>> >>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>> >>>> eFax: +1.810.454.0130 >>>> >>>> >>>> >>>> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >>>> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >>>> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>>> training locations throughout the United States, Europe, South Asia and >>>> Australia. Be sure to visit our online communities at >>>> www.ipexpert.com/communities and our public website at www.ipexpert.com >>>> >>>> >>>> >>>> *From:* [email protected] [mailto: >>>> [email protected]] *On Behalf Of *Kingsley >>>> Charles >>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>> *To:* [email protected] >>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>> >>>> >>>> >>>> Hi all >>>> >>>> Router A and B are directly connected and the bgp are peered to >>>> loopbacks. >>>> >>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>> sides. >>>> >>>> For me here it works with ttl-security hops 2. >>>> >>>> I thought it should work with ttl-security hops 1. >>>> >>>> With this configuration, what is the ttl value in the bgp packet sent to >>>> each other. >>>> >>>> Will it be 254 or 253? >>>> >>>> >>>> *router A* >>>> >>>> router bgp 4 >>>> no synchronization >>>> bgp log-neighbor-changes >>>> neighbor 150.1.3.3 remote-as 7 >>>> neighbor 150.1.3.3 ttl-security hops 2 >>>> neighbor 150.1.3.3 update-source Loopback0 >>>> no auto-summary >>>> >>>> interface FastEthernet0/0 >>>> ip address 136.1.0.2 255.255.255.0 >>>> ip flow ingress >>>> duplex auto >>>> speed auto >>>> >>>> interface Loopback0 >>>> ip address 150.1.2.2 255.255.255.0 >>>> >>>> >>>> sh ip bgp neighbors o/p >>>> >>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>> Local host: 150.1.2.2, Local port: 49810 >>>> >>>> *Router B* >>>> >>>> router bgp 7 >>>> no synchronization >>>> bgp log-neighbor-changes >>>> neighbor 150.1.2.2 remote-as 4 >>>> neighbor 150.1.2.2 ttl-security hops 2 >>>> neighbor 150.1.2.2 update-source Loopback0 >>>> no auto-summary >>>> >>>> interface FastEthernet0/0 >>>> ip address 136.1.0.3 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> >>>> interface Loopback0 >>>> ip address 150.1.3.3 255.255.255.0 >>>> >>>> sh ip bgp neighbors o/p >>>> >>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>> Local host: 150.1.3.3, Local port: 179 >>>> >>>> >>>> *Snippet of netflow o/p on router A* >>>> >>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>>> 12 6 >>>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>>> 57 0.2 >>>> *Min TTL: 255 * Max TTL: 255 >>>> >>>> >>>> The bgp peers are sending a ttl of 255. But then why is it working with >>>> "ttl-security hops 2" only and not with "ttl-security hops 1" >>>> >>>> With regards >>>> Kings >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
