I made a typo. should be: the receiving router expects the TTL expects the TTL eqal or higher than 255-<configured ttl-security value).
In your case ttl-security = 2 sending router sends TTL=255 receiving router expects TTL =>253 HTH, Piotr 2010/5/21 Piotr Matusiak <[email protected]> > I described it when you use ebgp-multihop 2. > If it comes to ttl-security the bgp packet will have TTL=255 and receiving > router expects the TTL equal or higher than configured ttl-security value. > > If the receiving router sees TTL<253 it silently discards the packet. > > > HTH, > Piotr > > > 2010/5/21 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> When we use ttl security, bgp sends ttl starting with 255 right? How come >> it will be "2"? >> >> >> With regards >> Kings >> >> >> On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Kings, >>> >>> The packet sourced from the router will NOT decrement TTL, hence in this >>> case the eBGP packet will be sourced with TTL=2. The receiving router will >>> decrement TTL by 1 when receiving the packet and route it further to the >>> loopback interface. The packet MUST have TTL=>1 to be accepted as the >>> general networking rule says: "drop packets with TTL=0 and send an ICMP >>> error packet back". >>> >>> HTH, >>> Piotr >>> >>> >>> 2010/5/21 Kingsley Charles <[email protected]> >>> >>>> Hi Tyson >>>> >>>> Though a loopback, since the packet comes from the same router, will the >>>> router, decrement the ttl? >>>> >>>> Also when it reaches the peer router, it goes to the control plane >>>> directly, ttl won't be also decremented on the peer. ttl will be >>>> decremented >>>> only after the routing right? >>>> >>>> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >>>> peer, it would be still 255. >>>> >>>> I think, I am really missing something here. >>>> >>>> >>>> Can you please explain, with this configuration what will be the ttl >>>> value be when the bgp packet reaches the peer and how was it arrived at? >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]>wrote: >>>> >>>>> With one, which is what it is by default, it would be 254. Remember >>>>> loopbacks are 1 hop away so you need the ttl to be 2. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>> >>>>> Technical Instructor - IPexpert, Inc. >>>>> >>>>> Mailto: [email protected] >>>>> >>>>> Telephone: +1.810.326.1444, ext. 208 >>>>> >>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>> >>>>> eFax: +1.810.454.0130 >>>>> >>>>> >>>>> >>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on >>>>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for the >>>>> Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with >>>>> training locations throughout the United States, Europe, South Asia and >>>>> Australia. Be sure to visit our online communities at >>>>> www.ipexpert.com/communities and our public website at >>>>> www.ipexpert.com >>>>> >>>>> >>>>> >>>>> *From:* [email protected] [mailto: >>>>> [email protected]] *On Behalf Of *Kingsley >>>>> Charles >>>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>>> *To:* [email protected] >>>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>>> >>>>> >>>>> >>>>> Hi all >>>>> >>>>> Router A and B are directly connected and the bgp are peered to >>>>> loopbacks. >>>>> >>>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>>> sides. >>>>> >>>>> For me here it works with ttl-security hops 2. >>>>> >>>>> I thought it should work with ttl-security hops 1. >>>>> >>>>> With this configuration, what is the ttl value in the bgp packet sent >>>>> to each other. >>>>> >>>>> Will it be 254 or 253? >>>>> >>>>> >>>>> *router A* >>>>> >>>>> router bgp 4 >>>>> no synchronization >>>>> bgp log-neighbor-changes >>>>> neighbor 150.1.3.3 remote-as 7 >>>>> neighbor 150.1.3.3 ttl-security hops 2 >>>>> neighbor 150.1.3.3 update-source Loopback0 >>>>> no auto-summary >>>>> >>>>> interface FastEthernet0/0 >>>>> ip address 136.1.0.2 255.255.255.0 >>>>> ip flow ingress >>>>> duplex auto >>>>> speed auto >>>>> >>>>> interface Loopback0 >>>>> ip address 150.1.2.2 255.255.255.0 >>>>> >>>>> >>>>> sh ip bgp neighbors o/p >>>>> >>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>>> Local host: 150.1.2.2, Local port: 49810 >>>>> >>>>> *Router B* >>>>> >>>>> router bgp 7 >>>>> no synchronization >>>>> bgp log-neighbor-changes >>>>> neighbor 150.1.2.2 remote-as 4 >>>>> neighbor 150.1.2.2 ttl-security hops 2 >>>>> neighbor 150.1.2.2 update-source Loopback0 >>>>> no auto-summary >>>>> >>>>> interface FastEthernet0/0 >>>>> ip address 136.1.0.3 255.255.255.0 >>>>> duplex auto >>>>> speed auto >>>>> >>>>> interface Loopback0 >>>>> ip address 150.1.3.3 255.255.255.0 >>>>> >>>>> sh ip bgp neighbors o/p >>>>> >>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>>> Local host: 150.1.3.3, Local port: 179 >>>>> >>>>> >>>>> *Snippet of netflow o/p on router A* >>>>> >>>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>>>> 12 6 >>>>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>>>> 57 0.2 >>>>> *Min TTL: 255 * Max TTL: 255 >>>>> >>>>> >>>>> The bgp peers are sending a ttl of 255. But then why is it working with >>>>> "ttl-security hops 2" only and not with "ttl-security hops 1" >>>>> >>>>> With regards >>>>> Kings >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
