From: Herbert Maosa (asawilunda@googlemail.com)
Date: Mon Nov 05 2007 - 07:02:33 ART
Lim,
Do you have multipaths to the eBGP peering loopback addresses by any chance
? Do you have exactly 2 hops between them ? does a traceroute give you
exactly 2 hops through each path ( if you have multipaths ) ?
I am a little bit curious because your ebgp-multihop variant is specifying
255 as the number hops, yet your ttl-security command is specifying 2 hops.
Would be fair to use the same number of hops for both command variants and
take it from there.
H.
On 11/4/07, Toh Soon, Lim <tohsoon28@gmail.com> wrote:
>
> Hi Lars,
>
> Thanks for your response.
>
> Yupp, I fully understand how to set up an eBGP peering session between
> loopback addresses. The "neighbor ebgp-multihop" command is used.
>
> In this case I'm required to configure TTL Security Check. I believe you
> know that the commands "neighbor ebgp-multihop" and "neighbor ttl-security
> hops" are mutually exclusive.
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch05/h_btsh.htm
>
> The BGP session is up anyway. It's just that R9 is not selecting the
> routes
> learned from R6 as best paths.
>
> When I removed the TTL security checks on both routers and configured the
> conventional eBGP multihop method, the issue is resolved.
>
> Any further thoughts? I guess I'm missing something here. Please
> enlighten.
>
>
> Thank you.
>
> B.Rgds,
> Lim TS
>
>
> On 11/5/07, Lars L. Christensen <lars@perseus.dk> wrote:
> >
> > Hi Lim
> >
> > I believe this is a rather simple question to answer.
> >
> > Your question has noting at all to do with BGP TTL security check, but
> to
> > do
> > with basic eBGP setup.
> >
> > You should review the basics for interconnecting two different AS's with
> > eBGP. Then you'll probably find the reason for your setup not working.
> >
> > A hint would be looking at TTL anyway.
> >
> > Cheers,
> > Lars Christensen
> >
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > Toh Soon, Lim
> > > Sent: 4. november 2007 19:03
> > > To: ccielab@groupstudy.com
> > > Subject: Issue with BGP TTL Security Check
> > >
> > > Hi Group,
> > >
> > > Need help on this scenario.
> > >
> > > R9 is connected to R6 via a multilink. R9 has an eBGP peering with R6,
> > > both
> > > using their loopback addresses which are advertised in OSPF. R9 learns
> a
> > > BGP
> > > route from R6 but is not selecting it as best path, as follows:
> > >
> > > R9#sh ip bgp 200.0.0.7/32
> > > BGP routing table entry for 200.0.0.7/32, version 0
> > > Paths: (1 available, no best path)
> > > Not advertised to any peer
> > > 6 7
> > > 200.0.0.6 (inaccessible) from 200.0.0.6 (200.0.0.6)
> > > Origin IGP, localpref 100, valid, external
> > >
> > > R9#sh ip ro os
> > > 200.0.0.0/32 is subnetted, 2 subnets
> > > O 200.0.0.6 [110/2] via 150.50.6.6, 00:12:05, Multilink1
> > >
> > > R9#p 200.0.0.6
> > >
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 200.0.0.6, timeout is 2 seconds:
> > > !!!!!
> > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
> > >
> > > R9#sh run | s bgp
> > > router bgp 9
> > > no synchronization
> > > bgp router-id 200.0.0.9
> > > bgp log-neighbor-changes
> > > neighbor 200.0.0.6 remote-as 6
> > > neighbor 200.0.0.6 ttl-security hops 2 <-- R6 has the command
> > "neighbor
> > > 200.0.0.9 ttl-security hops 2"
> > > neighbor 200.0.0.6 update-source Loopback0
> > > no auto-summary
> > >
> > > R9#sh ip b s
> > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> > > State/PfxRcd
> > > 200.0.0.6 4 6 18 17 1 0 0 00:13:33
> > > 1
> > >
> > >
> > > Why is R9 complaining the next-hop 200.0.0.6 is inaccessible whereas
> in
> > > fact
> > > it is accessible? I suspect it has something to do with the command
> > > "neighbor 200.0.0.6 ebgp-multihop 2". Issue is resolved after I
> replaced
> > > this command with "neighbor 200.0.0.6 ebgp-multihop 255".
> > >
> > > Can't figure out why. Can anyone help?
> > >
> > >
> > > Thank you.
> > >
> > > B.Rgds,
> > > Lim TS
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:28 ART