Re: BGP - multihop & ttl security from shiran guez on 2010-09-06 (Ccielab archives 09/2010)

From: shiran guez <shiranp3_at_gmail.com>
Date: Tue, 7 Sep 2010 04:51:10 +0300

ttl-security is essentially the opposite of the ebgp-multihop to establish
an ebgp neighbor you need to be directly connected or if you are either
sevral hops away or if you utilize the a virtual interface such as the
loopback you must use the ebgp-multihop to all your router to send a packet
out with a grater TTL by doing so allowing the packet to reach
the desired neighbor.

with ttl-security the router test *incoming* packet to see how many hops
away are they and if they are above the ttl you specified it will not
establish a neighbor relation with them.

So as you can see when you enabled ttl-security you simply prevented from
your router to establish a neighbor relation.

On Mon, Sep 6, 2010 at 11:45 PM, Edward John
<edwardjohn2020_at_googlemail.com>wrote:

> Hi,
>
> Is there a relation between TTL-security in bgp neighbor and
> route-selection
> from BGP table?
> I have an eBGP peering (based on loopback source, where loopback
> reachability is using IGP-ISIS).
>
> If I configure ebgp-multihop I see the routes are chosen best from the BGP
> table. And if I configure ttl-security routes are not chosen and shown
> nexthop inaccessible?
> In both the case Peer is coming up.
>
> Setup is as follows:
>
> PE1 - ASBR1
>
> ***********PE1 Config**************
>
> hostname PE1
> !
> !
> key chain ISIS
> key 1
> key-string CISCO
> !
> interface Loopback0
> ip address 10.1.1.1 255.255.255.255
> ip pim sparse-dense-mode
> no clns route-cache
> !
> interface Loopback1
> ip address 11.11.11.11 255.255.255.0
> no clns route-cache
> !
> !
> interface Serial2/0
> dampening 25 500 100 100 restart 120
> mtu 17000
> no ip address
> encapsulation frame-relay
> no keepalive
> serial restart-delay 0
> no frame-relay inverse-arp
> !
> interface Serial2/0.100 multipoint
> ip address 172.16.111.1 255.255.255.0
> ip router isis
> frame-relay map ip 172.16.111.2 100 broadcast
> frame-relay map ip 172.16.111.1 100
> frame-relay map clns 100 broadcast
> frame-relay interface-dlci 100
> no frame-relay inverse-arp
> clns mtu 9216
> isis circuit-type level-2-only
> isis authentication mode md5 level-2
> isis authentication key-chain ISIS level-2
> isis hello-interval 58 level-2
> !
> !
> router isis
> net 48.0000.0002.0002.00
> area-password iementor
> authentication mode md5 level-2
> authentication key-chain ISIS level-2
> metric-style wide
> no hello padding multi-point
> redistribute isis ip level-2 into level-1 distribute-list 100
> passive-interface Loopback0
> default-information originate
> !
> !
> router bgp 65001
> bgp router-id 10.1.1.1
> no bgp fast-external-fallover
> bgp log-neighbor-changes
> neighbor 10.1.1.100 remote-as 100
> neighbor 10.1.1.100 ebgp-multihop 2
> neighbor 10.1.1.100 update-source Loopback0
> neighbor 10.1.1.254 remote-as 65001
> neighbor 10.1.1.254 update-source Loopback0
> !
> address-family ipv4
> neighbor 10.1.1.100 activate
> neighbor 10.1.1.254 activate
> neighbor 140.100.1.2 activate
> neighbor 140.100.1.2 filter-list 10 out
> no auto-summary
> no synchronization
> network 11.11.11.0 mask 255.255.255.0
> exit-address-family
> !
> !
> ip as-path access-list 10 permit ^$
> !
> access-list 100 permit ip any any
> !
> !
>
> PE1#show ip bgp | include 10.1.1.100
> *> 0.0.0.0 10.1.1.100 0 100 200 i
> *> 101.101.101.0/24 10.1.1.100 0 0 100 i
> r> 172.16.111.0/24 10.1.1.100 0 0 100 i
> *> 172.16.113.0/24 10.1.1.100 0 100 200 i
> PE1#
>
>
> ***********ASBR1 Config****************
> hostname ASBR1
> !
>
> key chain ISIS
> key 1
> key-string CISCO
> !
> !
> interface Serial1/2
> mtu 9216
> ip address 172.16.111.2 255.255.255.0
> ip router isis
> encapsulation frame-relay
> no keepalive
> serial restart-delay 0
> no arp frame-relay
> frame-relay map ip 172.16.111.1 100 broadcast
> frame-relay map ip 172.16.111.2 100 broadcast
> frame-relay map clns 100 broadcast
> frame-relay interface-dlci 100
> no frame-relay inverse-arp
> isis circuit-type level-2-only
> isis authentication mode md5 level-2
> isis authentication key-chain ISIS level-2
> isis hello-interval 58 level-2
> no isis hello padding
> !
> !
> router isis
> net 48.0000.0100.0100.00
> authentication mode md5 level-2
> authentication key-chain ISIS level-2
> metric-style wide
> max-lsp-lifetime 120
> lsp-refresh-interval 60
> log-adjacency-changes
> passive-interface Loopback0
> !
> router bgp 100
> no synchronization
> bgp router-id 10.1.1.100
> bgp log-neighbor-changes
> network 101.101.101.0 mask 255.255.255.0
> network 172.16.111.0 mask 255.255.255.0
> neighbor 10.1.1.1 remote-as 65001
> neighbor 10.1.1.1 ebgp-multihop 2
> neighbor 10.1.1.1 update-source Loopback0
> neighbor 10.1.1.200 remote-as 200
> neighbor 10.1.1.200 disable-connected-check
> neighbor 10.1.1.200 update-source Loopback0
> neighbor 10.1.1.200 route-map PREPEND out
> no auto-summary
> !
> !
> route-map PREPEND permit 10
> set as-path prepend 65535
> !
>
>
> IF I change to ttl-security instead of ebgp-multihop for the peer between
> 10.1.1.100 & 10.1.1.1:
>
>
> *********FROM PE1*********
> router bgp 65001
> bgp router-id 10.1.1.1
> no bgp fast-external-fallover
> bgp log-neighbor-changes
> neighbor 10.1.1.100 remote-as 100
> neighbor 10.1.1.100 ttl-security hops 2
> neighbor 10.1.1.100 update-source Loopback0
> neighbor 10.1.1.254 remote-as 65001
> neighbor 10.1.1.254 update-source Loopback0
>
> ***********FROM ASBR1**********
> !
> router bgp 100
> no synchronization
> bgp router-id 10.1.1.100
> bgp log-neighbor-changes
> network 101.101.101.0 mask 255.255.255.0
> network 172.16.111.0 mask 255.255.255.0
> neighbor 10.1.1.1 remote-as 65001
> neighbor 10.1.1.1 ttl-security hops 2
> neighbor 10.1.1.1 update-source Loopback0
> !
> PE1#show ip bgp summary
> BGP router identifier 10.1.1.1, local AS number 65001
> BGP table version is 33, main routing table version 33
> 26 network entries using 2938 bytes of memory
> 26 path entries using 1352 bytes of memory
> 13/10 BGP path/bestpath attribute entries using 1404 bytes of memory
> 2 BGP rrinfo entries using 48 bytes of memory
> 5 BGP AS-PATH entries using 120 bytes of memory
> 0 BGP route-map cache entries using 0 bytes of memory
> 10 BGP filter-list cache entries using 120 bytes of memory
> BGP using 5982 total bytes of memory
> BGP activity 156/130 prefixes, 177/151 paths, scan interval 60 secs
>
> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> State/PfxRcd
> 10.1.1.100 4 100 342 367 33 0 0 00:02:30
> 4
> 10.1.1.254 4 65001 326 277 33 0 0 00:22:29
> 12
> 140.100.1.2 4 1540 281 316 33 0 0 00:22:29
> 9
> *PE1#show ip bgp | include 10.1.1.100*
> ** 0.0.0.0 10.1.1.100 0 100 200 i*
> ** 101.101.101.0/24 10.1.1.100 0 0 100 i*
> ** 172.16.111.0/24 10.1.1.100 0 0 100 i*
> ** 172.16.113.0/24 10.1.1.100 0 100 200 i*
>
> PE1#show ip bgp 101.101.101.0
> BGP routing table entry for 101.101.101.0/24, version 0
> Paths: (1 available, no best path)
> Not advertised to any peer
> 100
> 10.1.1.100 *(inaccessible)* from 10.1.1.100 (10.1.1.100)
> Origin IGP, metric 0, localpref 100, valid, external
>
>
> --
>
> *Regards,*
> *John*
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Shiran Guez
MCSE CCNP NCE1 JNCIA-ER CCIE #20572
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3
http://twitter.com/cciep3
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 07 2010 - 04:51:10 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART