correction to what I said on about ttl-security
with ttl-security the router test *incoming* packet to see how many hops
away are they and if they are *bellow* the ttl you specified it will not
establish a neighbor relation with them.
mean that if you have set ttl-security to 4 the router will accept only TTL
<= 251 (255 - 4)
On Tue, Sep 7, 2010 at 4:51 AM, shiran guez <shiranp3_at_gmail.com> wrote:
> ttl-security is essentially the opposite of the ebgp-multihop to establish
> an ebgp neighbor you need to be directly connected or if you are either
> sevral hops away or if you utilize the a virtual interface such as the
> loopback you must use the ebgp-multihop to all your router to send a packet
> out with a grater TTL by doing so allowing the packet to reach
> the desired neighbor.
>
> with ttl-security the router test *incoming* packet to see how many hops
> away are they and if they are above the ttl you specified it will not
> establish a neighbor relation with them.
>
> So as you can see when you enabled ttl-security you simply prevented from
> your router to establish a neighbor relation.
>
> On Mon, Sep 6, 2010 at 11:45 PM, Edward John <
> edwardjohn2020_at_googlemail.com> wrote:
>
>> Hi,
>>
>> Is there a relation between TTL-security in bgp neighbor and
>> route-selection
>> from BGP table?
>> I have an eBGP peering (based on loopback source, where loopback
>> reachability is using IGP-ISIS).
>>
>> If I configure ebgp-multihop I see the routes are chosen best from the BGP
>> table. And if I configure ttl-security routes are not chosen and shown
>> nexthop inaccessible?
>> In both the case Peer is coming up.
>>
>> Setup is as follows:
>>
>> PE1 - ASBR1
>>
>> ***********PE1 Config**************
>>
>> hostname PE1
>> !
>> !
>> key chain ISIS
>> key 1
>> key-string CISCO
>> !
>> interface Loopback0
>> ip address 10.1.1.1 255.255.255.255
>> ip pim sparse-dense-mode
>> no clns route-cache
>> !
>> interface Loopback1
>> ip address 11.11.11.11 255.255.255.0
>> no clns route-cache
>> !
>> !
>> interface Serial2/0
>> dampening 25 500 100 100 restart 120
>> mtu 17000
>> no ip address
>> encapsulation frame-relay
>> no keepalive
>> serial restart-delay 0
>> no frame-relay inverse-arp
>> !
>> interface Serial2/0.100 multipoint
>> ip address 172.16.111.1 255.255.255.0
>> ip router isis
>> frame-relay map ip 172.16.111.2 100 broadcast
>> frame-relay map ip 172.16.111.1 100
>> frame-relay map clns 100 broadcast
>> frame-relay interface-dlci 100
>> no frame-relay inverse-arp
>> clns mtu 9216
>> isis circuit-type level-2-only
>> isis authentication mode md5 level-2
>> isis authentication key-chain ISIS level-2
>> isis hello-interval 58 level-2
>> !
>> !
>> router isis
>> net 48.0000.0002.0002.00
>> area-password iementor
>> authentication mode md5 level-2
>> authentication key-chain ISIS level-2
>> metric-style wide
>> no hello padding multi-point
>> redistribute isis ip level-2 into level-1 distribute-list 100
>> passive-interface Loopback0
>> default-information originate
>> !
>> !
>> router bgp 65001
>> bgp router-id 10.1.1.1
>> no bgp fast-external-fallover
>> bgp log-neighbor-changes
>> neighbor 10.1.1.100 remote-as 100
>> neighbor 10.1.1.100 ebgp-multihop 2
>> neighbor 10.1.1.100 update-source Loopback0
>> neighbor 10.1.1.254 remote-as 65001
>> neighbor 10.1.1.254 update-source Loopback0
>> !
>> address-family ipv4
>> neighbor 10.1.1.100 activate
>> neighbor 10.1.1.254 activate
>> neighbor 140.100.1.2 activate
>> neighbor 140.100.1.2 filter-list 10 out
>> no auto-summary
>> no synchronization
>> network 11.11.11.0 mask 255.255.255.0
>> exit-address-family
>> !
>> !
>> ip as-path access-list 10 permit ^$
>> !
>> access-list 100 permit ip any any
>> !
>> !
>>
>> PE1#show ip bgp | include 10.1.1.100
>> *> 0.0.0.0 10.1.1.100 0 100 200 i
>> *> 101.101.101.0/24 10.1.1.100 0 0 100 i
>> r> 172.16.111.0/24 10.1.1.100 0 0 100 i
>> *> 172.16.113.0/24 10.1.1.100 0 100 200 i
>> PE1#
>>
>>
>> ***********ASBR1 Config****************
>> hostname ASBR1
>> !
>>
>> key chain ISIS
>> key 1
>> key-string CISCO
>> !
>> !
>> interface Serial1/2
>> mtu 9216
>> ip address 172.16.111.2 255.255.255.0
>> ip router isis
>> encapsulation frame-relay
>> no keepalive
>> serial restart-delay 0
>> no arp frame-relay
>> frame-relay map ip 172.16.111.1 100 broadcast
>> frame-relay map ip 172.16.111.2 100 broadcast
>> frame-relay map clns 100 broadcast
>> frame-relay interface-dlci 100
>> no frame-relay inverse-arp
>> isis circuit-type level-2-only
>> isis authentication mode md5 level-2
>> isis authentication key-chain ISIS level-2
>> isis hello-interval 58 level-2
>> no isis hello padding
>> !
>> !
>> router isis
>> net 48.0000.0100.0100.00
>> authentication mode md5 level-2
>> authentication key-chain ISIS level-2
>> metric-style wide
>> max-lsp-lifetime 120
>> lsp-refresh-interval 60
>> log-adjacency-changes
>> passive-interface Loopback0
>> !
>> router bgp 100
>> no synchronization
>> bgp router-id 10.1.1.100
>> bgp log-neighbor-changes
>> network 101.101.101.0 mask 255.255.255.0
>> network 172.16.111.0 mask 255.255.255.0
>> neighbor 10.1.1.1 remote-as 65001
>> neighbor 10.1.1.1 ebgp-multihop 2
>> neighbor 10.1.1.1 update-source Loopback0
>> neighbor 10.1.1.200 remote-as 200
>> neighbor 10.1.1.200 disable-connected-check
>> neighbor 10.1.1.200 update-source Loopback0
>> neighbor 10.1.1.200 route-map PREPEND out
>> no auto-summary
>> !
>> !
>> route-map PREPEND permit 10
>> set as-path prepend 65535
>> !
>>
>>
>> IF I change to ttl-security instead of ebgp-multihop for the peer between
>> 10.1.1.100 & 10.1.1.1:
>>
>>
>> *********FROM PE1*********
>> router bgp 65001
>> bgp router-id 10.1.1.1
>> no bgp fast-external-fallover
>> bgp log-neighbor-changes
>> neighbor 10.1.1.100 remote-as 100
>> neighbor 10.1.1.100 ttl-security hops 2
>> neighbor 10.1.1.100 update-source Loopback0
>> neighbor 10.1.1.254 remote-as 65001
>> neighbor 10.1.1.254 update-source Loopback0
>>
>> ***********FROM ASBR1**********
>> !
>> router bgp 100
>> no synchronization
>> bgp router-id 10.1.1.100
>> bgp log-neighbor-changes
>> network 101.101.101.0 mask 255.255.255.0
>> network 172.16.111.0 mask 255.255.255.0
>> neighbor 10.1.1.1 remote-as 65001
>> neighbor 10.1.1.1 ttl-security hops 2
>> neighbor 10.1.1.1 update-source Loopback0
>> !
>> PE1#show ip bgp summary
>> BGP router identifier 10.1.1.1, local AS number 65001
>> BGP table version is 33, main routing table version 33
>> 26 network entries using 2938 bytes of memory
>> 26 path entries using 1352 bytes of memory
>> 13/10 BGP path/bestpath attribute entries using 1404 bytes of memory
>> 2 BGP rrinfo entries using 48 bytes of memory
>> 5 BGP AS-PATH entries using 120 bytes of memory
>> 0 BGP route-map cache entries using 0 bytes of memory
>> 10 BGP filter-list cache entries using 120 bytes of memory
>> BGP using 5982 total bytes of memory
>> BGP activity 156/130 prefixes, 177/151 paths, scan interval 60 secs
>>
>> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>> State/PfxRcd
>> 10.1.1.100 4 100 342 367 33 0 0 00:02:30
>> 4
>> 10.1.1.254 4 65001 326 277 33 0 0 00:22:29
>> 12
>> 140.100.1.2 4 1540 281 316 33 0 0 00:22:29
>> 9
>> *PE1#show ip bgp | include 10.1.1.100*
>> ** 0.0.0.0 10.1.1.100 0 100 200 i*
>> ** 101.101.101.0/24 10.1.1.100 0 0 100 i*
>> ** 172.16.111.0/24 10.1.1.100 0 0 100 i*
>> ** 172.16.113.0/24 10.1.1.100 0 100 200 i*
>>
>> PE1#show ip bgp 101.101.101.0
>> BGP routing table entry for 101.101.101.0/24, version 0
>> Paths: (1 available, no best path)
>> Not advertised to any peer
>> 100
>> 10.1.1.100 *(inaccessible)* from 10.1.1.100 (10.1.1.100)
>> Origin IGP, metric 0, localpref 100, valid, external
>>
>>
>> --
>>
>> *Regards,*
>> *John*
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3
> http://twitter.com/cciep3
>
-- Shiran Guez MCSE CCNP NCE1 JNCIA-ER CCIE #20572 http://cciep3.blogspot.com http://www.linkedin.com/in/cciep3 http://twitter.com/cciep3 Blogs and organic groups at http://www.ccie.netReceived on Tue Sep 07 2010 - 06:16:36 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART