The only reason I have ever seen "*neighbor disable-connected-check*" used
is to stop a "man in the middle" scenario that is a vulnerability with ebg
multihop.
The scenario would be to configure peering between the loopbacks of R1 and
R2. Then, instead of using ebg multihop use *neighbor
disable-connected-check. * This would leave the TTL at 1 but allow updates
to be exchanged. In the event of a failure between the directly connected
R1 and R2 path, eBGP could not establish a connection over R3 because a TTL
= 1 would be decremented and dropped by R3, which would prevent an alternate
path peering and a potential packet capture at R3. The default for ebgp
multihop sets the TTL to 255. If ebgp multihop set the TTL to 2..it is
still possible to peer via R3 if one side uses ebgp multihop and the other
used disable-connected-check.
R3
/ \
-R1 --- R2-
Another method would be to use the "neighbor ttl-security hops" command
which is now the recommended configuration I believe.
TTL-security is design primarily to stop DoS attacks against a BGP router by
setting the source address to the same address as a known peer and hammer an
internet router with BGP sync requests. If the command "neigh ttl-security
hops 254" is used, any arriving BGP session request with a ttl of less than
254 is immediately discarded and therefore helps mitigate the DoS potential.
I think the most likely scenario in a CCIE setting would be to see some
question that asked to configure a multihop scenerio without using one of
these three methods. Since ebg multihop would be the most commonly used
method, I would be familiar with both disable connected and ttl-security
variations.
Chris Grammer
On Mon, Aug 9, 2010 at 11:05 AM, Walter Gibbons <wgibbons_at_gmail.com> wrote:
> All, I've read the DocCD on both ebgp-multihop and
> disable-connected-check and am failing to see the difference between
> the two command in overcoming TTL limitation when forming ebgp peers.
> What am I missing?
>
> DocCD Says:
>
> neighbor disable-connected-check:
> To disable connection verification to establish an eBGP peering
> session with a single-hop peer that uses a loopback interface, use the
> neighbor disable-connected-check command in address family or router
> configuration mode.
>
> neighbor ebgp-multihop:
> To accept and attempt BGP connections to external peers residing on
> networks that are not directly connected, use the neighbor
> ebgp-multihop command in router configuration mode.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Aug 09 2010 - 17:14:34 ART
This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 11:20:52 ART