It works ONLY when you use "ttl-security 1" and "disable-connected-check".
2010/5/22 Kingsley Charles <[email protected]> > Hi Piotr > > From your explanation and my observations, it seems ttl security 1 will > never work, even if the EBGP peers are directly connected. Yesterday, I > tried > connecting to bgp peers directly and it came up only with ttl of 2. > > Finally, I am curious why even directly connected peering bgp peers require > ttl security of 2. It didn't work with ttl of 1. > > > > > r1 10.20.30.41 - 10.20.30.42 r2 > > r1 > neighbor 10.20.30.41 > > r1 > neighbor 10.20.30.42 > > > > > With regards > Kings > > > On Sat, May 22, 2010 at 1:25 AM, Piotr Matusiak <[email protected]> wrote: > >> Kings, >> >> I knew you'll ask that question :) >> This is one of the mysteries of the IOS. >> >> A simple answer is: >> >> There are two things checked by eBGP peer when receiving the packet: >> 1. TTL of the packet must be "1" >> 2. peer's IP address must be local, meaning must be from the subnet >> directly connected to the router. >> >> For regular eBGP connection both checks are passed. However, for loopback >> sourcing eBGP session those checks must be somehow overcame. There are two >> options to do that: >> >> 1. "ebgp-multihop 2" - this option sets outbound TTL=2 and hence it equals >> 1 when hits the receiving eBGP ruter. This command disables the second check >> automatically. >> 2. "ttl-security 2" - the outbound is always TTL=255, however the >> receiving router want to see TTL=255-<ttl-security> when gets the packet. >> The first check is OK and the second check is ignored in this case. >> >> Now, what if we configure "ttl-security 1". The outbound TTL=255 and it >> gets decremented by 1 when hitting the receiving router, so that TTL=254. >> See what's the output of "sh ip bgp nei" tell you: "External BGP neighbor >> may be up to 1 hop away." This indicates that the TTL must be "1" not "254". >> To overcome that you need to disable second check by using a command >> "neighbor <IP> disable-connected-check". After establishing the connection, >> the router displays "Mininum incoming TTL 254, Outgoing TTL 255". >> >> >> >> HTH, >> Piotr >> >> >> >> >> >> >> 2010/5/21 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> I agree with you. Please look the configuration below, the bgp peers are >>> directly connected. The bgp connection comes up only with ttl-security hops >>> 2 >>> not ttl-security hops 1 >>> >>> Why does directly connected network require ttl-security hops 2? >>> >>> >>> >>> >>> *Router A* >>> >>> router bgp 4 >>> no synchronization >>> bgp log-neighbor-changes >>> neighbor 136.1.0.3 remote-as 7 >>> neighbor 136.1.0.3 ttl-security hops 2 >>> >>> no auto-summary >>> >>> interface FastEthernet0/0 >>> ip address 136.1.0.2 255.255.255.0 >>> ip flow ingress >>> duplex auto >>> speed auto >>> >>> >>> >>> *Router B* >>> >>> router bgp 7 >>> no synchronization >>> bgp log-neighbor-changes >>> neighbor 136.1.0.2 remote-as 4 >>> neighbor 136.1.0.2 ttl-security hops 2 >>> >>> >>> >>> interface FastEthernet0/0 >>> ip address 136.1.0.3 255.255.255.0 >>> duplex auto >>> speed auto >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> >>> On Fri, May 21, 2010 at 7:02 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> I made a typo. should be: >>>> >>>> the receiving router expects the TTL expects the TTL eqal or higher than >>>> 255-<configured ttl-security value). >>>> >>>> In your case ttl-security = 2 >>>> >>>> sending router sends TTL=255 >>>> receiving router expects TTL =>253 >>>> >>>> HTH, >>>> Piotr >>>> >>>> >>>> 2010/5/21 Piotr Matusiak <[email protected]> >>>> >>>> I described it when you use ebgp-multihop 2. >>>>> If it comes to ttl-security the bgp packet will have TTL=255 and >>>>> receiving router expects the TTL equal or higher than configured >>>>> ttl-security value. >>>>> >>>>> If the receiving router sees TTL<253 it silently discards the packet. >>>>> >>>>> >>>>> HTH, >>>>> Piotr >>>>> >>>>> >>>>> 2010/5/21 Kingsley Charles <[email protected]> >>>>> >>>>>> Hi Piotr >>>>>> >>>>>> When we use ttl security, bgp sends ttl starting with 255 right? How >>>>>> come it will be "2"? >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Fri, May 21, 2010 at 3:47 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Kings, >>>>>>> >>>>>>> The packet sourced from the router will NOT decrement TTL, hence in >>>>>>> this case the eBGP packet will be sourced with TTL=2. The receiving >>>>>>> router >>>>>>> will decrement TTL by 1 when receiving the packet and route it further >>>>>>> to >>>>>>> the loopback interface. The packet MUST have TTL=>1 to be accepted as >>>>>>> the >>>>>>> general networking rule says: "drop packets with TTL=0 and send an ICMP >>>>>>> error packet back". >>>>>>> >>>>>>> HTH, >>>>>>> Piotr >>>>>>> >>>>>>> >>>>>>> 2010/5/21 Kingsley Charles <[email protected]> >>>>>>> >>>>>>>> Hi Tyson >>>>>>>> >>>>>>>> Though a loopback, since the packet comes from the same router, will >>>>>>>> the router, decrement the ttl? >>>>>>>> >>>>>>>> Also when it reaches the peer router, it goes to the control plane >>>>>>>> directly, ttl won't be also decremented on the peer. ttl will be >>>>>>>> decremented >>>>>>>> only after the routing right? >>>>>>>> >>>>>>>> Hence, if a ttl of 225 is sent from router A in the bgp packet to >>>>>>>> the peer, it would be still 255. >>>>>>>> >>>>>>>> I think, I am really missing something here. >>>>>>>> >>>>>>>> >>>>>>>> Can you please explain, with this configuration what will be the ttl >>>>>>>> value be when the bgp packet reaches the peer and how was it arrived >>>>>>>> at? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Thu, May 20, 2010 at 9:43 PM, Tyson Scott >>>>>>>> <[email protected]>wrote: >>>>>>>> >>>>>>>>> With one, which is what it is by default, it would be 254. >>>>>>>>> Remember loopbacks are 1 hop away so you need the ttl to be 2. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Tyson Scott - CCIE #13513 R&S, Security, and SP >>>>>>>>> >>>>>>>>> Technical Instructor - IPexpert, Inc. >>>>>>>>> >>>>>>>>> Mailto: [email protected] >>>>>>>>> >>>>>>>>> Telephone: +1.810.326.1444, ext. 208 >>>>>>>>> >>>>>>>>> Live Assistance, Please visit: www.ipexpert.com/chat >>>>>>>>> >>>>>>>>> eFax: +1.810.454.0130 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> IPexpert is a premier provider of Self-Study Workbooks, Video on >>>>>>>>> Demand, Audio Tools, Online Hardware Rental and Classroom Training >>>>>>>>> for the >>>>>>>>> Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) >>>>>>>>> with >>>>>>>>> training locations throughout the United States, Europe, South Asia >>>>>>>>> and >>>>>>>>> Australia. Be sure to visit our online communities at >>>>>>>>> www.ipexpert.com/communities and our public website at >>>>>>>>> www.ipexpert.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *From:* [email protected] [mailto: >>>>>>>>> [email protected]] *On Behalf Of *Kingsley >>>>>>>>> Charles >>>>>>>>> *Sent:* Thursday, May 20, 2010 3:49 AM >>>>>>>>> *To:* [email protected] >>>>>>>>> *Subject:* [OSL | CCIE_Security] bgp with ttl security >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi all >>>>>>>>> >>>>>>>>> Router A and B are directly connected and the bgp are peered to >>>>>>>>> loopbacks. >>>>>>>>> >>>>>>>>> To make it work, we need to configure *ebgp-multihop 2 *on both* * >>>>>>>>> sides. >>>>>>>>> >>>>>>>>> For me here it works with ttl-security hops 2. >>>>>>>>> >>>>>>>>> I thought it should work with ttl-security hops 1. >>>>>>>>> >>>>>>>>> With this configuration, what is the ttl value in the bgp packet >>>>>>>>> sent to each other. >>>>>>>>> >>>>>>>>> Will it be 254 or 253? >>>>>>>>> >>>>>>>>> >>>>>>>>> *router A* >>>>>>>>> >>>>>>>>> router bgp 4 >>>>>>>>> no synchronization >>>>>>>>> bgp log-neighbor-changes >>>>>>>>> neighbor 150.1.3.3 remote-as 7 >>>>>>>>> neighbor 150.1.3.3 ttl-security hops 2 >>>>>>>>> neighbor 150.1.3.3 update-source Loopback0 >>>>>>>>> no auto-summary >>>>>>>>> >>>>>>>>> interface FastEthernet0/0 >>>>>>>>> ip address 136.1.0.2 255.255.255.0 >>>>>>>>> ip flow ingress >>>>>>>>> duplex auto >>>>>>>>> speed auto >>>>>>>>> >>>>>>>>> interface Loopback0 >>>>>>>>> ip address 150.1.2.2 255.255.255.0 >>>>>>>>> >>>>>>>>> >>>>>>>>> sh ip bgp neighbors o/p >>>>>>>>> >>>>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>>>> 255 >>>>>>>>> Local host: 150.1.2.2, Local port: 49810 >>>>>>>>> >>>>>>>>> *Router B* >>>>>>>>> >>>>>>>>> router bgp 7 >>>>>>>>> no synchronization >>>>>>>>> bgp log-neighbor-changes >>>>>>>>> neighbor 150.1.2.2 remote-as 4 >>>>>>>>> neighbor 150.1.2.2 ttl-security hops 2 >>>>>>>>> neighbor 150.1.2.2 update-source Loopback0 >>>>>>>>> no auto-summary >>>>>>>>> >>>>>>>>> interface FastEthernet0/0 >>>>>>>>> ip address 136.1.0.3 255.255.255.0 >>>>>>>>> duplex auto >>>>>>>>> speed auto >>>>>>>>> >>>>>>>>> interface Loopback0 >>>>>>>>> ip address 150.1.3.3 255.255.255.0 >>>>>>>>> >>>>>>>>> sh ip bgp neighbors o/p >>>>>>>>> >>>>>>>>> Connection state is ESTAB, I/O status: 1, unread input bytes: 0 >>>>>>>>> Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL >>>>>>>>> 255 >>>>>>>>> Local host: 150.1.3.3, Local port: 179 >>>>>>>>> >>>>>>>>> >>>>>>>>> *Snippet of netflow o/p on router A* >>>>>>>>> >>>>>>>>> Fa0/0 150.1.3.3 Local 150.1.2.2 06 >>>>>>>>> C0 12 6 >>>>>>>>> 00B3 /0 0 E2FA /0 0 >>>>>>>>> 0.0.0.0 57 0.2 >>>>>>>>> *Min TTL: 255 * Max TTL: >>>>>>>>> 255 >>>>>>>>> >>>>>>>>> >>>>>>>>> The bgp peers are sending a ttl of 255. But then why is it working >>>>>>>>> with "ttl-security hops 2" only and not with "ttl-security hops 1" >>>>>>>>> >>>>>>>>> With regards >>>>>>>>> Kings >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
