John,
Let�s say R1 is connected to R2 and R2 is connected to R3. All routers use a
directly connected serial links (HDLC).
R1 (S0/1) --------------------- (S0/1) R2 (S0/2) -----------------------
(S0/2) R3
R1�s S0/1 interface � 10.1.12.1 /24 (connecting this router to R2�s S0/1)
R2�s S0/1 interface � 10.1.12.2 /24 (connecting this router to R1�s S0/1)
R2�s S0/2 interface � 10.1.23.2 /24 (connecting this router to R3�s S0/2)
R3�s S0/2 interface � 10.1.23.3 /24 (connecting this router to R2�s S0/2)
The routers have static routes configured and have full NLRI to each other.
*Regular configuration:*
*On R1*
Router BGP 100
Neighbor 10.1.23.3 remote-as 300
*On R3*
Router BGP 300
Neighbor 10.1.12.1 remote-as 100
In a regular BGP configuration, the TTL of the �SYN� packet is set to 1, and
the other router will respond with a �SYN/ACK� with a TTL of 255, and the
rest of the packets that are exchanged between the two routers will have a
TTL of 1.
So you can see that in our configuration above, the two routers (R1 and R3)
will *NOT *form an EBGP session, because when routers send their initial SYN
packets with a TTL of 1, it will never reach the other router that is 2 hops
away.
You probably have heard that the TTL of EBGP packets is always set to 1.
Well�..It�s the TTL of the initial SYN packet that is set to 1, and since
BGP uses TCP, we need to get the SYN packet to the other router, or else
they will NOT complete the 3 way handshaking.
To fix our problem in the above configuration, we can increase the TTL of
the SYN packet to 2 or more. Well, 2 is much better than anything else,
since the other neighbor is ONLY two hops away. Always be very specific.
One way to do this is to configure the �Ebgp-multihop� command:
*On R1*
Router BGP 100
Neighbor 10.1.23.3 remote-as 300
Neighbor 10.1.23.3 ebgp-multihop 2
*On R3*
Router BGP 300
Neighbor 10.1.12.1 remote-as 100
Neighbor 10.1.12.1 ebgp-multihop 2
Now, the routers will send their �SYN� packets with a TTL of 2, because of
the �Ebgp-multihop 2� command; but once again the �SYN/ACK� will have a TTL
of 255, and the rest of the packets exchanged between the two routers will
have a TTL of 2.
If you are NOT allowed or don�t want to use the �ebgp-multihop� command, you
could use the �TTL-security hops� command instead. Remember that with this
option, both routers MUST have the �TTL-security hops� configured or else it
will not work (As of 12.4(15)T9,10,11 code.
Let�s configure the �TTL-Security Hops� command:
*On R1*
Router BGP 100
Neighbor 10.1.23.3 remote-as 300
NO Neighbor 10.1.23.3 ebgp-multihop 2
Neighbor 10.1.23.3 TTL-Security hops 2
* *
*On R3*
Router BGP 300
Neighbor 10.1.12.1 remote-as 100
NO Neighbor 10.1.12.1 ebgp-multihop 2
Neighbor 10.1.12.1 TTL-Security hops 2
In this case, all �SYN� packets will be sent with a TTL of 255, which means
in our case, when a router receives the initial �SYN� packet from the other
router, the TTL will be decremented by 1, this is done by R2, the middle
router, and the local router will receive the SYN packet with a TTL of 254.
Since our BGP is configured with a �TTL-Security Hops 2�, the local router
will process the received �SYN� packet that has a TTL of 253 or higher, or
looking at it from a normal person�s perspective, ONLY 2 hops away and
NOTHING MORE.
Therefore, with �TTL-Security Hops� you are setting the TTL of your SYN
packet to 255, BUT you are ONLY processing packets that are ONLY 2 hops away
from you.
I hope this helps.
On Mon, Sep 6, 2010 at 8:25 PM, shiran guez <shiranp3_at_gmail.com> wrote:
> prospective of the TTL :-)
>
> as TTL start from 255 going down, essentially both explanations are the
> same
> the meaning is that if you set ttl-security of 4 and the router trying to
> establish a neighbor is 5 hops away he will not be able to do so.
>
>
> On Tue, Sep 7, 2010 at 6:16 AM, shiran guez <shiranp3_at_gmail.com> wrote:
>
> > correction to what I said on about ttl-security
> >
> > with ttl-security the router test *incoming* packet to see how many hops
> > away are they and if they are *bellow* the ttl you specified it will not
> > establish a neighbor relation with them.
> >
> > mean that if you have set ttl-security to 4 the router will accept only
> TTL
> > <= 251 (255 - 4)
> >
> > On Tue, Sep 7, 2010 at 4:51 AM, shiran guez <shiranp3_at_gmail.com> wrote:
> >
> >> ttl-security is essentially the opposite of the ebgp-multihop to
> >> establish an ebgp neighbor you need to be directly connected or if you
> are
> >> either sevral hops away or if you utilize the a virtual interface such
> as
> >> the loopback you must use the ebgp-multihop to all your router to send a
> >> packet out with a grater TTL by doing so allowing the packet to reach
> >> the desired neighbor.
> >>
> >> with ttl-security the router test *incoming* packet to see how many hops
> >> away are they and if they are above the ttl you specified it will not
> >> establish a neighbor relation with them.
> >>
> >> So as you can see when you enabled ttl-security you simply prevented
> from
> >> your router to establish a neighbor relation.
> >>
> >> On Mon, Sep 6, 2010 at 11:45 PM, Edward John <
> >> edwardjohn2020_at_googlemail.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> Is there a relation between TTL-security in bgp neighbor and
> >>> route-selection
> >>> from BGP table?
> >>> I have an eBGP peering (based on loopback source, where loopback
> >>> reachability is using IGP-ISIS).
> >>>
> >>> If I configure ebgp-multihop I see the routes are chosen best from the
> >>> BGP
> >>> table. And if I configure ttl-security routes are not chosen and shown
> >>> nexthop inaccessible?
> >>> In both the case Peer is coming up.
> >>>
> >>> Setup is as follows:
> >>>
> >>> PE1 - ASBR1
> >>>
> >>> ***********PE1 Config**************
> >>>
> >>> hostname PE1
> >>> !
> >>> !
> >>> key chain ISIS
> >>> key 1
> >>> key-string CISCO
> >>> !
> >>> interface Loopback0
> >>> ip address 10.1.1.1 255.255.255.255
> >>> ip pim sparse-dense-mode
> >>> no clns route-cache
> >>> !
> >>> interface Loopback1
> >>> ip address 11.11.11.11 255.255.255.0
> >>> no clns route-cache
> >>> !
> >>> !
> >>> interface Serial2/0
> >>> dampening 25 500 100 100 restart 120
> >>> mtu 17000
> >>> no ip address
> >>> encapsulation frame-relay
> >>> no keepalive
> >>> serial restart-delay 0
> >>> no frame-relay inverse-arp
> >>> !
> >>> interface Serial2/0.100 multipoint
> >>> ip address 172.16.111.1 255.255.255.0
> >>> ip router isis
> >>> frame-relay map ip 172.16.111.2 100 broadcast
> >>> frame-relay map ip 172.16.111.1 100
> >>> frame-relay map clns 100 broadcast
> >>> frame-relay interface-dlci 100
> >>> no frame-relay inverse-arp
> >>> clns mtu 9216
> >>> isis circuit-type level-2-only
> >>> isis authentication mode md5 level-2
> >>> isis authentication key-chain ISIS level-2
> >>> isis hello-interval 58 level-2
> >>> !
> >>> !
> >>> router isis
> >>> net 48.0000.0002.0002.00
> >>> area-password iementor
> >>> authentication mode md5 level-2
> >>> authentication key-chain ISIS level-2
> >>> metric-style wide
> >>> no hello padding multi-point
> >>> redistribute isis ip level-2 into level-1 distribute-list 100
> >>> passive-interface Loopback0
> >>> default-information originate
> >>> !
> >>> !
> >>> router bgp 65001
> >>> bgp router-id 10.1.1.1
> >>> no bgp fast-external-fallover
> >>> bgp log-neighbor-changes
> >>> neighbor 10.1.1.100 remote-as 100
> >>> neighbor 10.1.1.100 ebgp-multihop 2
> >>> neighbor 10.1.1.100 update-source Loopback0
> >>> neighbor 10.1.1.254 remote-as 65001
> >>> neighbor 10.1.1.254 update-source Loopback0
> >>> !
> >>> address-family ipv4
> >>> neighbor 10.1.1.100 activate
> >>> neighbor 10.1.1.254 activate
> >>> neighbor 140.100.1.2 activate
> >>> neighbor 140.100.1.2 filter-list 10 out
> >>> no auto-summary
> >>> no synchronization
> >>> network 11.11.11.0 mask 255.255.255.0
> >>> exit-address-family
> >>> !
> >>> !
> >>> ip as-path access-list 10 permit ^$
> >>> !
> >>> access-list 100 permit ip any any
> >>> !
> >>> !
> >>>
> >>> PE1#show ip bgp | include 10.1.1.100
> >>> *> 0.0.0.0 10.1.1.100 0 100 200 i
> >>> *> 101.101.101.0/24 10.1.1.100 0 0 100 i
> >>> r> 172.16.111.0/24 10.1.1.100 0 0 100 i
> >>> *> 172.16.113.0/24 10.1.1.100 0 100 200 i
> >>> PE1#
> >>>
> >>>
> >>> ***********ASBR1 Config****************
> >>> hostname ASBR1
> >>> !
> >>>
> >>> key chain ISIS
> >>> key 1
> >>> key-string CISCO
> >>> !
> >>> !
> >>> interface Serial1/2
> >>> mtu 9216
> >>> ip address 172.16.111.2 255.255.255.0
> >>> ip router isis
> >>> encapsulation frame-relay
> >>> no keepalive
> >>> serial restart-delay 0
> >>> no arp frame-relay
> >>> frame-relay map ip 172.16.111.1 100 broadcast
> >>> frame-relay map ip 172.16.111.2 100 broadcast
> >>> frame-relay map clns 100 broadcast
> >>> frame-relay interface-dlci 100
> >>> no frame-relay inverse-arp
> >>> isis circuit-type level-2-only
> >>> isis authentication mode md5 level-2
> >>> isis authentication key-chain ISIS level-2
> >>> isis hello-interval 58 level-2
> >>> no isis hello padding
> >>> !
> >>> !
> >>> router isis
> >>> net 48.0000.0100.0100.00
> >>> authentication mode md5 level-2
> >>> authentication key-chain ISIS level-2
> >>> metric-style wide
> >>> max-lsp-lifetime 120
> >>> lsp-refresh-interval 60
> >>> log-adjacency-changes
> >>> passive-interface Loopback0
> >>> !
> >>> router bgp 100
> >>> no synchronization
> >>> bgp router-id 10.1.1.100
> >>> bgp log-neighbor-changes
> >>> network 101.101.101.0 mask 255.255.255.0
> >>> network 172.16.111.0 mask 255.255.255.0
> >>> neighbor 10.1.1.1 remote-as 65001
> >>> neighbor 10.1.1.1 ebgp-multihop 2
> >>> neighbor 10.1.1.1 update-source Loopback0
> >>> neighbor 10.1.1.200 remote-as 200
> >>> neighbor 10.1.1.200 disable-connected-check
> >>> neighbor 10.1.1.200 update-source Loopback0
> >>> neighbor 10.1.1.200 route-map PREPEND out
> >>> no auto-summary
> >>> !
> >>> !
> >>> route-map PREPEND permit 10
> >>> set as-path prepend 65535
> >>> !
> >>>
> >>>
> >>> IF I change to ttl-security instead of ebgp-multihop for the peer
> between
> >>> 10.1.1.100 & 10.1.1.1:
> >>>
> >>>
> >>> *********FROM PE1*********
> >>> router bgp 65001
> >>> bgp router-id 10.1.1.1
> >>> no bgp fast-external-fallover
> >>> bgp log-neighbor-changes
> >>> neighbor 10.1.1.100 remote-as 100
> >>> neighbor 10.1.1.100 ttl-security hops 2
> >>> neighbor 10.1.1.100 update-source Loopback0
> >>> neighbor 10.1.1.254 remote-as 65001
> >>> neighbor 10.1.1.254 update-source Loopback0
> >>>
> >>> ***********FROM ASBR1**********
> >>> !
> >>> router bgp 100
> >>> no synchronization
> >>> bgp router-id 10.1.1.100
> >>> bgp log-neighbor-changes
> >>> network 101.101.101.0 mask 255.255.255.0
> >>> network 172.16.111.0 mask 255.255.255.0
> >>> neighbor 10.1.1.1 remote-as 65001
> >>> neighbor 10.1.1.1 ttl-security hops 2
> >>> neighbor 10.1.1.1 update-source Loopback0
> >>> !
> >>> PE1#show ip bgp summary
> >>> BGP router identifier 10.1.1.1, local AS number 65001
> >>> BGP table version is 33, main routing table version 33
> >>> 26 network entries using 2938 bytes of memory
> >>> 26 path entries using 1352 bytes of memory
> >>> 13/10 BGP path/bestpath attribute entries using 1404 bytes of memory
> >>> 2 BGP rrinfo entries using 48 bytes of memory
> >>> 5 BGP AS-PATH entries using 120 bytes of memory
> >>> 0 BGP route-map cache entries using 0 bytes of memory
> >>> 10 BGP filter-list cache entries using 120 bytes of memory
> >>> BGP using 5982 total bytes of memory
> >>> BGP activity 156/130 prefixes, 177/151 paths, scan interval 60 secs
> >>>
> >>> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> >>> State/PfxRcd
> >>> 10.1.1.100 4 100 342 367 33 0 0 00:02:30
> >>> 4
> >>> 10.1.1.254 4 65001 326 277 33 0 0 00:22:29
> >>> 12
> >>> 140.100.1.2 4 1540 281 316 33 0 0 00:22:29
> >>> 9
> >>> *PE1#show ip bgp | include 10.1.1.100*
> >>> ** 0.0.0.0 10.1.1.100 0 100 200
> i*
> >>> ** 101.101.101.0/24 10.1.1.100 0 0 100 i*
> >>> ** 172.16.111.0/24 10.1.1.100 0 0 100 i*
> >>> ** 172.16.113.0/24 10.1.1.100 0 100 200
> i*
> >>>
> >>> PE1#show ip bgp 101.101.101.0
> >>> BGP routing table entry for 101.101.101.0/24, version 0
> >>> Paths: (1 available, no best path)
> >>> Not advertised to any peer
> >>> 100
> >>> 10.1.1.100 *(inaccessible)* from 10.1.1.100 (10.1.1.100)
> >>> Origin IGP, metric 0, localpref 100, valid, external
> >>>
> >>>
> >>> --
> >>>
> >>> *Regards,*
> >>> *John*
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Shiran Guez
> >> MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> >> http://cciep3.blogspot.com
> >> http://www.linkedin.com/in/cciep3
> >> http://twitter.com/cciep3
> >>
> >
> >
> >
> > --
> > Shiran Guez
> > MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> > http://cciep3.blogspot.com
> > http://www.linkedin.com/in/cciep3
> > http://twitter.com/cciep3
> >
>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3
> http://twitter.com/cciep3
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
--
Narbik Kocharians
CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com
Sr. Technical Instructor
YES! We take Cisco Learning Credits!
Training And Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 07 2010 - 00:39:43 ART