Kings, I knew you'll ask that question :) This is one of the mysteries of the IOS.
A simple answer is: There are two things checked by eBGP peer when receiving the packet: 1. TTL of the packet must be "1" 2. peer's IP address must be local, meaning must be from the subnet directly connected to the router. For regular eBGP connection both checks are passed. However, for loopback sourcing eBGP session those checks must be somehow overcame. There are two options to do that: 1. "ebgp-multihop 2" - this option sets outbound TTL=2 and hence it equals 1 when hits the receiving eBGP ruter. This command disables the second check automatically. 2. "ttl-security 2" - the outbound is always TTL=255, however the receiving router want to see TTL=255-<ttl-security> when gets the packet. The first check is OK and the second check is ignored in this case. Now, what if we configure "ttl-security 1". The outbound TTL=255 and it gets decremented by 1 when hitting the receiving router, so that TTL=254. See what's the output of "sh ip bgp nei" tell you: "External BGP neighbor may be up to 1 hop away." This indicates that the TTL must be "1" not "254". To overcome that you need to disable second check by using a command "neighbor <IP> disable-connected-check". After establishing the connection, the router displays "Mininum incoming TTL 254, Outgoing TTL 255". HTH, Piotr 2010/5/21 Kingsley Charles <[email protected]> > Hi Piotr > > I agree with you. Please look the configuration below, the bgp peers are > directly connected. The bgp connection comes up only with ttl-security hops > 2 > not ttl-security hops 1 > > Why does directly connected network require ttl-security hops 2? > > > > > *Router A* > > router bgp 4 > no synchronization > bgp log-neighbor-changes > neighbor 136.1.0.3 remote-as 7 > neighbor 136.1.0.3 ttl-security hops 2 > > no auto-summary > > interface FastEthernet0/0 > ip address 136.1.0.2 255.255.255.0 > ip flow ingress > duplex auto > speed auto > > > > *Router B* > > router bgp 7 > no synchronization > bgp log-neighbor-changes > neighbor 136.1.0.2 remote-as 4 > neighbor 136.1.0.2 ttl-security hops 2 > > > > interface FastEthernet0/0 > ip address 136.1.0.3 255.255.255.0 > duplex auto > speed auto > > > > > With regards > Kings > > > On Fri, May 21, 2010 at 7:02 PM, Piotr Matusiak <[email protected]> wrote: > >> I made a typo. should be: >> >> the receiving router expects the TTL expects the TTL eqal or higher than >> 255-<configured ttl-security value). >> >> In your case ttl-security = 2 >> >> sending router sends TTL=255 >> receiving router expects TTL =>253 >> >> HTH, >> Piotr >> >> >> 2010/5/21 Piotr Matusiak <[email protected]> >> >> I described it when you use ebgp-multihop 2. >>> If it comes to ttl-security the bgp packet will have TTL=255 and >>> receiving router expects the TTL equal or higher than configured >>> ttl-security value. >>> >>> If the receiving router sees TTL<253 it silently discards the packet. >>> >>> >>> HTH, >>> Piotr >>> >>> >>> 2010/5/21 Kingsley Charles <[email protected]> >>> >>>> Hi Piotr >>>> >>>> When we use ttl security, bgp sends ttl starting with 255 right? How >>>> come it will be "2"? >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]> wrote: >>>> >>>>> Kings, >>>>> >>>>> The packet sourced from the router will NOT decrement TTL, hence in >>>>> this case the eBGP packet will be sourced with TTL=2. The receiving router >>>>> will decrement TTL by 1 when receiving the packet and route it further to >>>>> the loopback interface. The packet MUST have TTL=>1 to be accepted as the >>>>> general networking rule says: "drop packets with TTL=0 and send an ICMP >>>>> error packet back". >>>>> >>>>> HTH, >>>>> Piotr >>>>> >>>>> >>>>> 2010/5/21 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi Tyson >>>>>> >>>>>> Though a loopback, since the packet comes from the same router, will >>>>>> the router, decrement the ttl? >>>>>> >>>>>> Also when it reaches the peer router, it goes to the control plane >>>>>> directly, ttl won't be also decremented on the peer. ttl will be >>>>>> decremented >>>>>> only after the routing right? >>>>>> >>>>>> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >>>>>> peer, it would be still 255. >>>>>> >>>>>> I think, I am really missing something here. >>>>>> >>>>>> >>>>>> Can you please explain, with this configuration what will be the ttl >>>>>> value be when the bgp packet reaches the peer and how was it arrived at? >>>>>> >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]>wrote: >>>>>> >>>>>>> With one, which is what it is by default, it would be 254. >>>>>>> Remember loopbacks are 1 hop away so you need the ttl to be 2. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>>>> >>>>>>> Technical Instructor - IPexpert, Inc. >>>>>>> >>>>>>> Mailto: [email protected] >>>>>>> >>>>>>> Telephone: +1.810.326.1444, ext. 208 >>>>>>> >>>>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>>>> >>>>>>> eFax: +1.810.454.0130 >>>>>>> >>>>>>> >>>>>>> >>>>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on >>>>>>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for >>>>>>> the >>>>>>> Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) >>>>>>> with >>>>>>> training locations throughout the United States, Europe, South Asia and >>>>>>> Australia. Be sure to visit our online communities at >>>>>>> www.ipexpert.com/communities and our public website at >>>>>>> www.ipexpert.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* [email protected] [mailto: >>>>>>> [email protected]] *On Behalf Of *Kingsley >>>>>>> Charles >>>>>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>>>>> *To:* [email protected] >>>>>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi all >>>>>>> >>>>>>> Router A and B are directly connected and the bgp are peered to >>>>>>> loopbacks. >>>>>>> >>>>>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>>>>> sides. >>>>>>> >>>>>>> For me here it works with ttl-security hops 2. >>>>>>> >>>>>>> I thought it should work with ttl-security hops 1. >>>>>>> >>>>>>> With this configuration, what is the ttl value in the bgp packet sent >>>>>>> to each other. >>>>>>> >>>>>>> Will it be 254 or 253? >>>>>>> >>>>>>> >>>>>>> *router A* >>>>>>> >>>>>>> router bgp 4 >>>>>>> no synchronization >>>>>>> bgp log-neighbor-changes >>>>>>> neighbor 150.1.3.3 remote-as 7 >>>>>>> neighbor 150.1.3.3 ttl-security hops 2 >>>>>>> neighbor 150.1.3.3 update-source Loopback0 >>>>>>> no auto-summary >>>>>>> >>>>>>> interface FastEthernet0/0 >>>>>>> ip address 136.1.0.2 255.255.255.0 >>>>>>> ip flow ingress >>>>>>> duplex auto >>>>>>> speed auto >>>>>>> >>>>>>> interface Loopback0 >>>>>>> ip address 150.1.2.2 255.255.255.0 >>>>>>> >>>>>>> >>>>>>> sh ip bgp neighbors o/p >>>>>>> >>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>> 255 >>>>>>> Local host: 150.1.2.2, Local port: 49810 >>>>>>> >>>>>>> *Router B* >>>>>>> >>>>>>> router bgp 7 >>>>>>> no synchronization >>>>>>> bgp log-neighbor-changes >>>>>>> neighbor 150.1.2.2 remote-as 4 >>>>>>> neighbor 150.1.2.2 ttl-security hops 2 >>>>>>> neighbor 150.1.2.2 update-source Loopback0 >>>>>>> no auto-summary >>>>>>> >>>>>>> interface FastEthernet0/0 >>>>>>> ip address 136.1.0.3 255.255.255.0 >>>>>>> duplex auto >>>>>>> speed auto >>>>>>> >>>>>>> interface Loopback0 >>>>>>> ip address 150.1.3.3 255.255.255.0 >>>>>>> >>>>>>> sh ip bgp neighbors o/p >>>>>>> >>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>> 255 >>>>>>> Local host: 150.1.3.3, Local port: 179 >>>>>>> >>>>>>> >>>>>>> *Snippet of netflow o/p on router A* >>>>>>> >>>>>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>>>>>> 12 6 >>>>>>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>>>>>> 57 0.2 >>>>>>> *Min TTL: 255 * Max TTL: 255 >>>>>>> >>>>>>> >>>>>>> The bgp peers are sending a ttl of 255. But then why is it working >>>>>>> with "ttl-security hops 2" only and not with "ttl-security hops 1" >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
