Hi Piotr I agree with you. Please look the configuration below, the bgp peers are directly connected. The bgp connection comes up only with ttl-security hops 2 not ttl-security hops 1
Why does directly connected network require ttl-security hops 2? *Router A* router bgp 4 no synchronization bgp log-neighbor-changes neighbor 136.1.0.3 remote-as 7 neighbor 136.1.0.3 ttl-security hops 2 no auto-summary interface FastEthernet0/0 ip address 136.1.0.2 255.255.255.0 ip flow ingress duplex auto speed auto *Router B* router bgp 7 no synchronization bgp log-neighbor-changes neighbor 136.1.0.2 remote-as 4 neighbor 136.1.0.2 ttl-security hops 2 interface FastEthernet0/0 ip address 136.1.0.3 255.255.255.0 duplex auto speed auto With regards Kings On Fri, May 21, 2010 at 7:02 PM, Piotr Matusiak <[email protected]> wrote: > I made a typo. should be: > > the receiving router expects the TTL expects the TTL eqal or higher than > 255-<configured ttl-security value). > > In your case ttl-security = 2 > > sending router sends TTL=255 > receiving router expects TTL =>253 > > HTH, > Piotr > > > 2010/5/21 Piotr Matusiak <[email protected]> > > I described it when you use ebgp-multihop 2. >> If it comes to ttl-security the bgp packet will have TTL=255 and receiving >> router expects the TTL equal or higher than configured ttl-security value. >> >> If the receiving router sees TTL<253 it silently discards the packet. >> >> >> HTH, >> Piotr >> >> >> 2010/5/21 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> When we use ttl security, bgp sends ttl starting with 255 right? How come >>> it will be "2"? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Kings, >>>> >>>> The packet sourced from the router will NOT decrement TTL, hence in this >>>> case the eBGP packet will be sourced with TTL=2. The receiving router will >>>> decrement TTL by 1 when receiving the packet and route it further to the >>>> loopback interface. The packet MUST have TTL=>1 to be accepted as the >>>> general networking rule says: "drop packets with TTL=0 and send an ICMP >>>> error packet back". >>>> >>>> HTH, >>>> Piotr >>>> >>>> >>>> 2010/5/21 Kingsley Charles <[email protected]> >>>> >>>>> Hi Tyson >>>>> >>>>> Though a loopback, since the packet comes from the same router, will >>>>> the router, decrement the ttl? >>>>> >>>>> Also when it reaches the peer router, it goes to the control plane >>>>> directly, ttl won't be also decremented on the peer. ttl will be >>>>> decremented >>>>> only after the routing right? >>>>> >>>>> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >>>>> peer, it would be still 255. >>>>> >>>>> I think, I am really missing something here. >>>>> >>>>> >>>>> Can you please explain, with this configuration what will be the ttl >>>>> value be when the bgp packet reaches the peer and how was it arrived at? >>>>> >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]>wrote: >>>>> >>>>>> With one, which is what it is by default, it would be 254. Remember >>>>>> loopbacks are 1 hop away so you need the ttl to be 2. >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> >>>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>>> >>>>>> Technical Instructor - IPexpert, Inc. >>>>>> >>>>>> Mailto: [email protected] >>>>>> >>>>>> Telephone: +1.810.326.1444, ext. 208 >>>>>> >>>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>>> >>>>>> eFax: +1.810.454.0130 >>>>>> >>>>>> >>>>>> >>>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on >>>>>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for >>>>>> the >>>>>> Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) >>>>>> with >>>>>> training locations throughout the United States, Europe, South Asia and >>>>>> Australia. Be sure to visit our online communities at >>>>>> www.ipexpert.com/communities and our public website at >>>>>> www.ipexpert.com >>>>>> >>>>>> >>>>>> >>>>>> *From:* [email protected] [mailto: >>>>>> [email protected]] *On Behalf Of *Kingsley >>>>>> Charles >>>>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>>>> *To:* [email protected] >>>>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>>>> >>>>>> >>>>>> >>>>>> Hi all >>>>>> >>>>>> Router A and B are directly connected and the bgp are peered to >>>>>> loopbacks. >>>>>> >>>>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>>>> sides. >>>>>> >>>>>> For me here it works with ttl-security hops 2. >>>>>> >>>>>> I thought it should work with ttl-security hops 1. >>>>>> >>>>>> With this configuration, what is the ttl value in the bgp packet sent >>>>>> to each other. >>>>>> >>>>>> Will it be 254 or 253? >>>>>> >>>>>> >>>>>> *router A* >>>>>> >>>>>> router bgp 4 >>>>>> no synchronization >>>>>> bgp log-neighbor-changes >>>>>> neighbor 150.1.3.3 remote-as 7 >>>>>> neighbor 150.1.3.3 ttl-security hops 2 >>>>>> neighbor 150.1.3.3 update-source Loopback0 >>>>>> no auto-summary >>>>>> >>>>>> interface FastEthernet0/0 >>>>>> ip address 136.1.0.2 255.255.255.0 >>>>>> ip flow ingress >>>>>> duplex auto >>>>>> speed auto >>>>>> >>>>>> interface Loopback0 >>>>>> ip address 150.1.2.2 255.255.255.0 >>>>>> >>>>>> >>>>>> sh ip bgp neighbors o/p >>>>>> >>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>>>> Local host: 150.1.2.2, Local port: 49810 >>>>>> >>>>>> *Router B* >>>>>> >>>>>> router bgp 7 >>>>>> no synchronization >>>>>> bgp log-neighbor-changes >>>>>> neighbor 150.1.2.2 remote-as 4 >>>>>> neighbor 150.1.2.2 ttl-security hops 2 >>>>>> neighbor 150.1.2.2 update-source Loopback0 >>>>>> no auto-summary >>>>>> >>>>>> interface FastEthernet0/0 >>>>>> ip address 136.1.0.3 255.255.255.0 >>>>>> duplex auto >>>>>> speed auto >>>>>> >>>>>> interface Loopback0 >>>>>> ip address 150.1.3.3 255.255.255.0 >>>>>> >>>>>> sh ip bgp neighbors o/p >>>>>> >>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255 >>>>>> Local host: 150.1.3.3, Local port: 179 >>>>>> >>>>>> >>>>>> *Snippet of netflow o/p on router A* >>>>>> >>>>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>>>>> 12 6 >>>>>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>>>>> 57 0.2 >>>>>> *Min TTL: 255 * Max TTL: 255 >>>>>> >>>>>> >>>>>> The bgp peers are sending a ttl of 255. But then why is it working >>>>>> with "ttl-security hops 2" only and not with "ttl-security hops 1" >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
