RE: Issue with BGP TTL Security Check

From: Lars L. Christensen (lars@perseus.dk)
Date: Sun Nov 04 2007 - 15:27:07 ART

• Next message: Joseph Brunner: "RE: ipexpert v9.0 lab 23"
• Previous message: dara tomar: "Re: find out eigrp AS that I need with debug"
• Maybe in reply to: Toh Soon, Lim: "Issue with BGP TTL Security Check"
• Next in thread: Toh Soon, Lim: "Re: Issue with BGP TTL Security Check"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Lim

I believe this is a rather simple question to answer.

Your question has noting at all to do with BGP TTL security check, but to do
with basic eBGP setup.

You should review the basics for interconnecting two different AS's with
eBGP. Then you'll probably find the reason for your setup not working.

A hint would be looking at TTL anyway.

Cheers,
Lars Christensen

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Toh Soon, Lim
> Sent: 4. november 2007 19:03
> To: ccielab@groupstudy.com
> Subject: Issue with BGP TTL Security Check
>
> Hi Group,
>
> Need help on this scenario.
>
> R9 is connected to R6 via a multilink. R9 has an eBGP peering with R6,
> both
> using their loopback addresses which are advertised in OSPF. R9 learns a
> BGP
> route from R6 but is not selecting it as best path, as follows:
>
> R9#sh ip bgp 200.0.0.7/32
> BGP routing table entry for 200.0.0.7/32, version 0
> Paths: (1 available, no best path)
> Not advertised to any peer
> 6 7
> 200.0.0.6 (inaccessible) from 200.0.0.6 (200.0.0.6)
> Origin IGP, localpref 100, valid, external
>
> R9#sh ip ro os
> 200.0.0.0/32 is subnetted, 2 subnets
> O 200.0.0.6 [110/2] via 150.50.6.6, 00:12:05, Multilink1
>
> R9#p 200.0.0.6
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 200.0.0.6, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
>
> R9#sh run | s bgp
> router bgp 9
> no synchronization
> bgp router-id 200.0.0.9
> bgp log-neighbor-changes
> neighbor 200.0.0.6 remote-as 6
> neighbor 200.0.0.6 ttl-security hops 2 <-- R6 has the command "neighbor
> 200.0.0.9 ttl-security hops 2"
> neighbor 200.0.0.6 update-source Loopback0
> no auto-summary
>
> R9#sh ip b s
> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> State/PfxRcd
> 200.0.0.6 4 6 18 17 1 0 0 00:13:33
> 1
>
>
> Why is R9 complaining the next-hop 200.0.0.6 is inaccessible whereas in
> fact
> it is accessible? I suspect it has something to do with the command
> "neighbor 200.0.0.6 ebgp-multihop 2". Issue is resolved after I replaced
> this command with "neighbor 200.0.0.6 ebgp-multihop 255".
>
> Can't figure out why. Can anyone help?
>
>
> Thank you.
>
> B.Rgds,
> Lim TS
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joseph Brunner: "RE: ipexpert v9.0 lab 23"
• Previous message: dara tomar: "Re: find out eigrp AS that I need with debug"
• Maybe in reply to: Toh Soon, Lim: "Issue with BGP TTL Security Check"
• Next in thread: Toh Soon, Lim: "Re: Issue with BGP TTL Security Check"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART