I think that sending traffic between loopback and router's CPU is not considered as routing.
2011/5/11 Kingsley Charles <[email protected]> > Hi Piotr > > Thanks, that was the answer I was expecting. So the BGP packet's TTL is > decremented before reaching the BGP code and hence BGP Control Plane is > considered as one hop, right? > > > > > And on my next query, when we use loopback interface as the source, then we > not add one more hop, isn't it. > > > L0 R1 ---------------- R2 ------------------- R3 L0 > > R1 and R3 are bgp peers and they are using L0 as the source. If we need to > configure ttl security, then "neighbor X.X.X.X ttl-security hops 2" is > required. > Even for this we should 2 hops not 3 (considering loopack interface as > another hop). Hence for both case, with R1 and R3 as BGP peers, > irrespective of whether they use physical or loopback interface, neighbor > X.X.X.X ttl-security should be configured with 2 hops. > > > L0 R1 ---------------- R2 ------------------- R3 L0 > R1 ---------------- R2 ------------------- R3 > > With regards > Kings > > > On Wed, May 11, 2011 at 2:30 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> Yes, the issue you observer is a feature not bug :) >> Basically, GTSM is a software feature (most likely on lower platforms) and >> BGP code is checked very late in the path. So that, the BGP code checks TTL >> value after TCP code where MD5 checksum is verified and TTL is decremented. >> >> GTSM was designed mainly for directly connected hops and it has some >> issues with multi-hop environment. >> >> >> Regards, >> Piotr >> >> 2011/5/11 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> I am not referring to directly connected BGP peers. >>> >>> I have two routers (R1 and R3) establishing a BGP connection with a >>> router in between. For a successful BGP peering either we need to configure >>> "neighbor >>> X.X.X.X ttl-security hops 2" or "neighbor X.X.X.X ebgp-multihop 2".Hence 2 >>> hops is required. >>> >>> R1 ---------- R2 ------------- R3 >>> >>> As a general statement, the TTL is decremented after the routing process >>> when the packets comes to the Exit interface. >>> >>> Actually speaking, it is only "1" hop between R1 and R3 right? It is "2" >>> hops, only if the packets from R1 transits R3. Now with BGP, the packets >>> goes to RP directly and doesn't transits but the IOS expects 2 hops for >>> ebgp-multihop or ttl-security. So my question is when the TTL decremented >>> for the BGP packets? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Wed, May 11, 2011 at 1:00 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Kings, >>>> >>>> I'm not sure if I get you right. Do you want to have ttl-security = 1 >>>> and configure eBGP peers on loopbacks? >>>> >>>> You can configure it this way but it simply does not work because there >>>> are "two" checks that all eBGP sessions have: >>>> -- TTL is set to "1" on both sides >>>> AND >>>> -- the "peer" must be directly connected >>>> >>>> When loopbacks are used, it is the second test that fails since the >>>> loopback address of the peer is not part within a "C" (Connected) subnet. >>>> There is ONLY "1" TTL decrement done on the packet.... NOT 2. >>>> >>>> The way people always got around this in the past was to use >>>> "ebgp-multihop 2" -- which "disables" the connected check. This opens a >>>> (small) security hole, so Cisco added the "disable-connected-check" command >>>> which permits eBGP between loopbacks + the default TTL=1 setting... and >>>> closes the diameter of attacks. >>>> >>>> >>>> Try this: >>>> >>>> router bgp 1 >>>> >>>> nei 2.2.2.2 remote 2 >>>> >>>> nei 2.2.2.2 up lo0 >>>> >>>> nei 2.2.2.2 disable-conn >>>> >>>> >>>> Regards, >>>> >>>> Piotr >>>> >>>> >>>> >>>> >>>> >>>> 2011/5/11 Kingsley Charles <[email protected]> >>>> >>>>> Hi Piotr/all >>>>> >>>>> Waiting for you inputs :-) >>>>> >>>>> With regards >>>>> KIngs >>>>> >>>>> >>>>> On Tue, May 10, 2011 at 4:58 PM, Kingsley Charles < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Piotr >>>>>> >>>>>> I labbed it out many times and observed the following: >>>>>> >>>>>> With the above given case which has one router in between, "neighbor >>>>>> X.X.X.X ttl-security hops 2" is required or "neighbor X.X.X.X >>>>>> ebgp-multihop 2" >>>>>> >>>>>> With the same setup, if I use loopback interfaces as source address, >>>>>> it requires "neighbor X.X.X.X ttl-security hops 2" is required or >>>>>> "neighbor X.X.X.X ebgp-multihop 2". Even when we use loopback interface, >>>>>> the >>>>>> hops is same as the loopback is still on the same router. Hence hops 2 is >>>>>> also required here. >>>>>> >>>>>> Earlier my understanding was that the TTL is decremented after routing >>>>>> process when the packets lands the "Forwarding Interface". If the TTL is >>>>>> "0", the ICMP time exceeded is sent back where the ingress interface's IP >>>>>> address is used as the source address for the ICMP packet. >>>>>> >>>>>> Said with this, BGP seems to be specially handled by IOS where it >>>>>> decrements TTL though it is going to control plane and not to any >>>>>> forwarding >>>>>> Interface. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Tue, May 10, 2011 at 4:40 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Hi Kings, >>>>>>> >>>>>>> The TTL is decreased by 1 on every routed hop. If it is decreased on >>>>>>> inside interface that would mean the R3 sees 253. I think the R3 will >>>>>>> see >>>>>>> 254 - assuming you're not using loopbacks. >>>>>>> >>>>>>> Regards, >>>>>>> Piotr >>>>>>> >>>>>>> 2011/5/10 Kingsley Charles <[email protected]> >>>>>>> >>>>>>>> Hi all >>>>>>>> >>>>>>>> When a router receives a packet, will the TTL be decremented on the >>>>>>>> ingress interface or egress interfaces while exiting? I am raising this >>>>>>>> question due to the following case. >>>>>>>> >>>>>>>> >>>>>>>> R1 ---------- R2 ------------- R3 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> R1 and R3 are EBGP peers and we should configure hops as "2" with >>>>>>>> BGP ttl security as following: >>>>>>>> >>>>>>>> neighbor X.X.X.X ttl-security hops 2 >>>>>>>> >>>>>>>> Here R2 is the only router in between which reduces the TTL. If >>>>>>>> hops is "2", the received TTL should be either 253 or above. Hence, it >>>>>>>> means >>>>>>>> the TTL is decremented on the ingress interface right? >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>>>> www.PlatinumPlacement.com >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
