From: Toh Soon, Lim (tohsoon28@gmail.com)
Date: Sun Nov 04 2007 - 16:14:04 ART
Hi Lars,
Thanks for your response.
Yupp, I fully understand how to set up an eBGP peering session between
loopback addresses. The "neighbor ebgp-multihop" command is used.
In this case I'm required to configure TTL Security Check. I believe you
know that the commands "neighbor ebgp-multihop" and "neighbor ttl-security
hops" are mutually exclusive.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch05/h_btsh.htm
The BGP session is up anyway. It's just that R9 is not selecting the routes
learned from R6 as best paths.
When I removed the TTL security checks on both routers and configured the
conventional eBGP multihop method, the issue is resolved.
Any further thoughts? I guess I'm missing something here. Please enlighten.
Thank you.
B.Rgds,
Lim TS
On 11/5/07, Lars L. Christensen <lars@perseus.dk> wrote:
>
> Hi Lim
>
> I believe this is a rather simple question to answer.
>
> Your question has noting at all to do with BGP TTL security check, but to
> do
> with basic eBGP setup.
>
> You should review the basics for interconnecting two different AS's with
> eBGP. Then you'll probably find the reason for your setup not working.
>
> A hint would be looking at TTL anyway.
>
> Cheers,
> Lars Christensen
>
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Toh Soon, Lim
> > Sent: 4. november 2007 19:03
> > To: ccielab@groupstudy.com
> > Subject: Issue with BGP TTL Security Check
> >
> > Hi Group,
> >
> > Need help on this scenario.
> >
> > R9 is connected to R6 via a multilink. R9 has an eBGP peering with R6,
> > both
> > using their loopback addresses which are advertised in OSPF. R9 learns a
> > BGP
> > route from R6 but is not selecting it as best path, as follows:
> >
> > R9#sh ip bgp 200.0.0.7/32
> > BGP routing table entry for 200.0.0.7/32, version 0
> > Paths: (1 available, no best path)
> > Not advertised to any peer
> > 6 7
> > 200.0.0.6 (inaccessible) from 200.0.0.6 (200.0.0.6)
> > Origin IGP, localpref 100, valid, external
> >
> > R9#sh ip ro os
> > 200.0.0.0/32 is subnetted, 2 subnets
> > O 200.0.0.6 [110/2] via 150.50.6.6, 00:12:05, Multilink1
> >
> > R9#p 200.0.0.6
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 200.0.0.6, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> >
> > R9#sh run | s bgp
> > router bgp 9
> > no synchronization
> > bgp router-id 200.0.0.9
> > bgp log-neighbor-changes
> > neighbor 200.0.0.6 remote-as 6
> > neighbor 200.0.0.6 ttl-security hops 2 <-- R6 has the command
> "neighbor
> > 200.0.0.9 ttl-security hops 2"
> > neighbor 200.0.0.6 update-source Loopback0
> > no auto-summary
> >
> > R9#sh ip b s
> > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> > State/PfxRcd
> > 200.0.0.6 4 6 18 17 1 0 0 00:13:33
> > 1
> >
> >
> > Why is R9 complaining the next-hop 200.0.0.6 is inaccessible whereas in
> > fact
> > it is accessible? I suspect it has something to do with the command
> > "neighbor 200.0.0.6 ebgp-multihop 2". Issue is resolved after I replaced
> > this command with "neighbor 200.0.0.6 ebgp-multihop 255".
> >
> > Can't figure out why. Can anyone help?
> >
> >
> > Thank you.
> >
> > B.Rgds,
> > Lim TS
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART