I can confirm (and so can you in the lab environment).
When configured with the ttl-security, several things are important for the
eBGP neighbors:
1) The TTL is set to 255, instead of 1 (default)
2) TTL security feature needs to be turned on on both sides
3) TTL of the incoming packet will be matched against the configured hop
count using a simple check: (255-Packet_TTL) <= hops
Let's take a look.
(AS65001)R1[Gi1]---{192.168.12.0/24}---[Gi1]R2(AS65002)
R1:
interface GigabitEthernet1
ip address 192.168.12.1 255.255.255.0
!
router bgp 65001
neighbor 192.168.12.2 remote-as 65002
neighbor 192.168.12.2 ttl-security hops 2
!
address-family ipv4
neighbor 192.168.12.2 activate
!
R2:
interface GigabitEthernet1
ip address 192.168.12.2 255.255.255.0
!
router bgp 65001
neighbor 192.168.12.1 remote-as 65001
neighbor 192.168.12.1 ttl-security hops 2
!
address-family ipv4
neighbor 192.168.12.1 activate
!
R1:
R1#show bgp ipv4 unicast summary
BGP router identifier 192.168.12.1, local AS number 65001
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
192.168.12.2 4 65002 7 7 1 0 0 00:04:15
0
So, the session is up, even though they're directly connected (proving the
point of the TTL statement above). But what WAS the actual TTL used on the
wire? See for yourself - this is the SYN packet for that session.
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: 00:0c:29:84:d3:2e (00:0c:29:84:d3:2e), Dst:
00:50:56:92:37:3d (00:50:56:92:37:3d)
Internet Protocol Version 4, Src: 192.168.12.1 (192.168.12.1), Dst:
192.168.12.2 (192.168.12.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN:
0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 44
Identification: 0xa870 (43120)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 255
Protocol: TCP (6)
Header checksum: 0x3947 [correct]
Source: 192.168.12.1 (192.168.12.1)
Destination: 192.168.12.2 (192.168.12.2)
Transmission Control Protocol, Src Port: 51300 (51300), Dst Port: bgp
(179), Seq: 0, Len: 0
--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor / Managing Partner - iPexpert
:: Free Video Training: http://youtube.com/iPexpertInc
:: Social: http://twitter.com/@icemarkom | http://fb.me/ccie18427
:: iPexpert: http://www.ipexpert.com/Communities | +1-810-326-1444
On Wed, Feb 26, 2014 at 12:19 PM, Edgar Díaz Orellana <
[email protected]> wrote:
> In fact using an loopback interface is kind of had a second hop, 1 of them
> is external the other is internal thru control-plane.
>
> That's why need to use 2 hops if you had neighbors peering thru loopbacks
>
> Sent from my iPhone
>
> > On 26-02-2014, at 14:09, marc abel <[email protected]> wrote:
> >
> > Are you peering between loopbacks? In this case you would need to do
> > ttl-security hops 2. Your neighbor is going to decrement 1 ttl before
> > sending and then local router would decrement 1 before delivering to
> > loopback interface. This probably wouldn't show up in your traceroute,
> but
> > you would have a ttl of 253.
> >
> >
> > On Wed, Feb 26, 2014 at 10:22 AM, Christopher Lemish <
> > [email protected]> wrote:
> >
> >> Guys,
> >>
> >> I just turned up a BGP session for a customer (doing BGP Failover for
> >> them). I am using the "neigh ttl-security hops" cmd. A traceroute
> >> confirms it is 1 hop away. The Cisco documentation explains that if a
> TTL
> >> is received that equals the TTL value expected or is higher, the router
> >> will accept that packet.
> >>
> >> I was troubleshooting it quickly and the cmd "neigh x.x.x.x ttl-security
> >> hops 254" is the only hop count that maintains the BGP session. I
> thought
> >> I recall that the ttl-security cmd "must exactly" match the number of
> hops
> >> away from one of Joe's videos. But, I thought we could use the "neigh
> >> x.x.x.x ttl-security hops 1" which means it is 1 hop away and would
> accept
> >> a TTL of 254 or higher, indicating that it is 1 hop away.
> >>
> >> (TTL=255)-->(TTL=254)
> >> PE--------CE
> >>
> >> The IOS version of this 3925 is the following:
> >> Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version
> >> 15.2(4)M5, RELEASE SOFTWARE (fc2)
> >>
> >> Thank you,
> >> Chris
> >>
> >> _______________________________________________
> >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
> >>
> >> iPexpert on YouTube: www.youtube.com/ipexpertinc
> >
> >
> >
> > --
> > Marc Abel
> > CCIE #35470
> > (Routing and Switching)
> > _______________________________________________
> > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
> >
> > iPexpert on YouTube: www.youtube.com/ipexpertinc
> _______________________________________________
> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
>
> iPexpert on YouTube: www.youtube.com/ipexpertinc
>
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
