Kings, I'm not sure if I get you right. Do you want to have ttl-security = 1 and configure eBGP peers on loopbacks?
You can configure it this way but it simply does not work because there are "two" checks that all eBGP sessions have: -- TTL is set to "1" on both sides AND -- the "peer" must be directly connected When loopbacks are used, it is the second test that fails since the loopback address of the peer is not part within a "C" (Connected) subnet. There is ONLY "1" TTL decrement done on the packet.... NOT 2. The way people always got around this in the past was to use "ebgp-multihop 2" -- which "disables" the connected check. This opens a (small) security hole, so Cisco added the "disable-connected-check" command which permits eBGP between loopbacks + the default TTL=1 setting... and closes the diameter of attacks. Try this: router bgp 1 nei 2.2.2.2 remote 2 nei 2.2.2.2 up lo0 nei 2.2.2.2 disable-conn Regards, Piotr 2011/5/11 Kingsley Charles <[email protected]> > Hi Piotr/all > > Waiting for you inputs :-) > > With regards > KIngs > > > On Tue, May 10, 2011 at 4:58 PM, Kingsley Charles < > [email protected]> wrote: > >> Hi Piotr >> >> I labbed it out many times and observed the following: >> >> With the above given case which has one router in between, "neighbor >> X.X.X.X ttl-security hops 2" is required or "neighbor X.X.X.X >> ebgp-multihop 2" >> >> With the same setup, if I use loopback interfaces as source address, it >> requires "neighbor X.X.X.X ttl-security hops 2" is required or "neighbor >> X.X.X.X ebgp-multihop 2". Even when we use loopback interface, the hops is >> same as the loopback is still on the same router. Hence hops 2 is also >> required here. >> >> Earlier my understanding was that the TTL is decremented after routing >> process when the packets lands the "Forwarding Interface". If the TTL is >> "0", the ICMP time exceeded is sent back where the ingress interface's IP >> address is used as the source address for the ICMP packet. >> >> Said with this, BGP seems to be specially handled by IOS where it >> decrements TTL though it is going to control plane and not to any forwarding >> Interface. >> >> >> >> >> With regards >> Kings >> >> >> On Tue, May 10, 2011 at 4:40 PM, Piotr Matusiak <[email protected]> wrote: >> >>> Hi Kings, >>> >>> The TTL is decreased by 1 on every routed hop. If it is decreased on >>> inside interface that would mean the R3 sees 253. I think the R3 will see >>> 254 - assuming you're not using loopbacks. >>> >>> Regards, >>> Piotr >>> >>> 2011/5/10 Kingsley Charles <[email protected]> >>> >>>> Hi all >>>> >>>> When a router receives a packet, will the TTL be decremented on the >>>> ingress interface or egress interfaces while exiting? I am raising this >>>> question due to the following case. >>>> >>>> >>>> R1 ---------- R2 ------------- R3 >>>> >>>> >>>> >>>> R1 and R3 are EBGP peers and we should configure hops as "2" with BGP >>>> ttl security as following: >>>> >>>> neighbor X.X.X.X ttl-security hops 2 >>>> >>>> Here R2 is the only router in between which reduces the TTL. If hops is >>>> "2", the received TTL should be either 253 or above. Hence, it means the >>>> TTL >>>> is decremented on the ingress interface right? >>>> >>>> With regards >>>> Kings >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
