Hi Piotr >From your explanation and my observations, it seems ttl security 1 will never work, even if the EBGP peers are directly connected. Yesterday, I tried connecting to bgp peers directly and it came up only with ttl of 2.
Finally, I am curious why even directly connected peering bgp peers require ttl security of 2. It didn't work with ttl of 1. r1 10.20.30.41 - 10.20.30.42 r2 r1 neighbor 10.20.30.41 r1 neighbor 10.20.30.42 With regards Kings On Sat, May 22, 2010 at 1:25 AM, Piotr Matusiak <[email protected]> wrote: > Kings, > > I knew you'll ask that question :) > This is one of the mysteries of the IOS. > > A simple answer is: > > There are two things checked by eBGP peer when receiving the packet: > 1. TTL of the packet must be "1" > 2. peer's IP address must be local, meaning must be from the subnet > directly connected to the router. > > For regular eBGP connection both checks are passed. However, for loopback > sourcing eBGP session those checks must be somehow overcame. There are two > options to do that: > > 1. "ebgp-multihop 2" - this option sets outbound TTL=2 and hence it equals > 1 when hits the receiving eBGP ruter. This command disables the second check > automatically. > 2. "ttl-security 2" - the outbound is always TTL=255, however the receiving > router want to see TTL=255-<ttl-security> when gets the packet. The first > check is OK and the second check is ignored in this case. > > Now, what if we configure "ttl-security 1". The outbound TTL=255 and it > gets decremented by 1 when hitting the receiving router, so that TTL=254. > See what's the output of "sh ip bgp nei" tell you: "External BGP neighbor > may be up to 1 hop away." This indicates that the TTL must be "1" not "254". > To overcome that you need to disable second check by using a command > "neighbor <IP> disable-connected-check". After establishing the connection, > the router displays "Mininum incoming TTL 254, Outgoing TTL 255". > > > > HTH, > Piotr > > > > > > > 2010/5/21 Kingsley Charles <[email protected]> > >> Hi Piotr >> >> I agree with you. Please look the configuration below, the bgp peers are >> directly connected. The bgp connection comes up only with ttl-security hops >> 2 >> not ttl-security hops 1 >> >> Why does directly connected network require ttl-security hops 2? >> >> >> >> >> *Router A* >> >> router bgp 4 >> no synchronization >> bgp log-neighbor-changes >> neighbor 136.1.0.3 remote-as 7 >> neighbor 136.1.0.3 ttl-security hops 2 >> >> no auto-summary >> >> interface FastEthernet0/0 >> ip address 136.1.0.2 255.255.255.0 >> ip flow ingress >> duplex auto >> speed auto >> >> >> >> *Router B* >> >> router bgp 7 >> no synchronization >> bgp log-neighbor-changes >> neighbor 136.1.0.2 remote-as 4 >> neighbor 136.1.0.2 ttl-security hops 2 >> >> >> >> interface FastEthernet0/0 >> ip address 136.1.0.3 255.255.255.0 >> duplex auto >> speed auto >> >> >> >> >> With regards >> Kings >> >> >> On Fri, May 21, 2010 at 7:02 PM, Piotr Matusiak <[email protected]> wrote: >> >>> I made a typo. should be: >>> >>> the receiving router expects the TTL expects the TTL eqal or higher than >>> 255-<configured ttl-security value). >>> >>> In your case ttl-security = 2 >>> >>> sending router sends TTL=255 >>> receiving router expects TTL =>253 >>> >>> HTH, >>> Piotr >>> >>> >>> 2010/5/21 Piotr Matusiak <[email protected]> >>> >>> I described it when you use ebgp-multihop 2. >>>> If it comes to ttl-security the bgp packet will have TTL=255 and >>>> receiving router expects the TTL equal or higher than configured >>>> ttl-security value. >>>> >>>> If the receiving router sees TTL<253 it silently discards the packet. >>>> >>>> >>>> HTH, >>>> Piotr >>>> >>>> >>>> 2010/5/21 Kingsley Charles <[email protected]> >>>> >>>>> Hi Piotr >>>>> >>>>> When we use ttl security, bgp sends ttl starting with 255 right? How >>>>> come it will be "2"? >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> Kings, >>>>>> >>>>>> The packet sourced from the router will NOT decrement TTL, hence in >>>>>> this case the eBGP packet will be sourced with TTL=2. The receiving >>>>>> router >>>>>> will decrement TTL by 1 when receiving the packet and route it further to >>>>>> the loopback interface. The packet MUST have TTL=>1 to be accepted as the >>>>>> general networking rule says: "drop packets with TTL=0 and send an ICMP >>>>>> error packet back". >>>>>> >>>>>> HTH, >>>>>> Piotr >>>>>> >>>>>> >>>>>> 2010/5/21 Kingsley Charles <[email protected]> >>>>>> >>>>>>> Hi Tyson >>>>>>> >>>>>>> Though a loopback, since the packet comes from the same router, will >>>>>>> the router, decrement the ttl? >>>>>>> >>>>>>> Also when it reaches the peer router, it goes to the control plane >>>>>>> directly, ttl won't be also decremented on the peer. ttl will be >>>>>>> decremented >>>>>>> only after the routing right? >>>>>>> >>>>>>> Hence, if a ttl of 225 is sent from router A in the bgp packet to the >>>>>>> peer, it would be still 255. >>>>>>> >>>>>>> I think, I am really missing something here. >>>>>>> >>>>>>> >>>>>>> Can you please explain, with this configuration what will be the ttl >>>>>>> value be when the bgp packet reaches the peer and how was it arrived at? >>>>>>> >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott <[email protected]>wrote: >>>>>>> >>>>>>>> With one, which is what it is by default, it would be 254. >>>>>>>> Remember loopbacks are 1 hop away so you need the ttl to be 2. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>>>>> >>>>>>>> Technical Instructor - IPexpert, Inc. >>>>>>>> >>>>>>>> Mailto: [email protected] >>>>>>>> >>>>>>>> Telephone: +1.810.326.1444, ext. 208 >>>>>>>> >>>>>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>>>>> >>>>>>>> eFax: +1.810.454.0130 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on >>>>>>>> Demand, Audio Tools, Online Hardware Rental and Classroom Training for >>>>>>>> the >>>>>>>> Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) >>>>>>>> with >>>>>>>> training locations throughout the United States, Europe, South Asia and >>>>>>>> Australia. Be sure to visit our online communities at >>>>>>>> www.ipexpert.com/communities and our public website at >>>>>>>> www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *From:* [email protected] [mailto: >>>>>>>> [email protected]] *On Behalf Of *Kingsley >>>>>>>> Charles >>>>>>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>>>>>> *To:* [email protected] >>>>>>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi all >>>>>>>> >>>>>>>> Router A and B are directly connected and the bgp are peered to >>>>>>>> loopbacks. >>>>>>>> >>>>>>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>>>>>> sides. >>>>>>>> >>>>>>>> For me here it works with ttl-security hops 2. >>>>>>>> >>>>>>>> I thought it should work with ttl-security hops 1. >>>>>>>> >>>>>>>> With this configuration, what is the ttl value in the bgp packet >>>>>>>> sent to each other. >>>>>>>> >>>>>>>> Will it be 254 or 253? >>>>>>>> >>>>>>>> >>>>>>>> *router A* >>>>>>>> >>>>>>>> router bgp 4 >>>>>>>> no synchronization >>>>>>>> bgp log-neighbor-changes >>>>>>>> neighbor 150.1.3.3 remote-as 7 >>>>>>>> neighbor 150.1.3.3 ttl-security hops 2 >>>>>>>> neighbor 150.1.3.3 update-source Loopback0 >>>>>>>> no auto-summary >>>>>>>> >>>>>>>> interface FastEthernet0/0 >>>>>>>> ip address 136.1.0.2 255.255.255.0 >>>>>>>> ip flow ingress >>>>>>>> duplex auto >>>>>>>> speed auto >>>>>>>> >>>>>>>> interface Loopback0 >>>>>>>> ip address 150.1.2.2 255.255.255.0 >>>>>>>> >>>>>>>> >>>>>>>> sh ip bgp neighbors o/p >>>>>>>> >>>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>>> 255 >>>>>>>> Local host: 150.1.2.2, Local port: 49810 >>>>>>>> >>>>>>>> *Router B* >>>>>>>> >>>>>>>> router bgp 7 >>>>>>>> no synchronization >>>>>>>> bgp log-neighbor-changes >>>>>>>> neighbor 150.1.2.2 remote-as 4 >>>>>>>> neighbor 150.1.2.2 ttl-security hops 2 >>>>>>>> neighbor 150.1.2.2 update-source Loopback0 >>>>>>>> no auto-summary >>>>>>>> >>>>>>>> interface FastEthernet0/0 >>>>>>>> ip address 136.1.0.3 255.255.255.0 >>>>>>>> duplex auto >>>>>>>> speed auto >>>>>>>> >>>>>>>> interface Loopback0 >>>>>>>> ip address 150.1.3.3 255.255.255.0 >>>>>>>> >>>>>>>> sh ip bgp neighbors o/p >>>>>>>> >>>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>>> 255 >>>>>>>> Local host: 150.1.3.3, Local port: 179 >>>>>>>> >>>>>>>> >>>>>>>> *Snippet of netflow o/p on router A* >>>>>>>> >>>>>>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 C0 >>>>>>>> 12 6 >>>>>>>> 00B3 /0 0 E2FA /0 0 0.0.0.0 >>>>>>>> 57 0.2 >>>>>>>> *Min TTL: 255 * Max TTL: 255 >>>>>>>> >>>>>>>> >>>>>>>> The bgp peers are sending a ttl of 255. But then why is it working >>>>>>>> with "ttl-security hops 2" only and not with "ttl-security hops 1" >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit www.ipexpert.com >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
