Re: BGP - multihop & ttl security from shiran guez on 2010-09-07 (Ccielab archives 09/2010)

From: shiran guez <shiranp3_at_gmail.com>
Date: Tue, 7 Sep 2010 06:25:38 +0300

prospective of the TTL :-)

as TTL start from 255 going down, essentially both explanations are the same
the meaning is that if you set ttl-security of 4 and the router trying to
establish a neighbor is 5 hops away he will not be able to do so.

On Tue, Sep 7, 2010 at 6:16 AM, shiran guez <shiranp3_at_gmail.com> wrote:

> correction to what I said on about ttl-security
>
> with ttl-security the router test *incoming* packet to see how many hops
> away are they and if they are *bellow* the ttl you specified it will not
> establish a neighbor relation with them.
>
> mean that if you have set ttl-security to 4 the router will accept only TTL
> <= 251 (255 - 4)
>
> On Tue, Sep 7, 2010 at 4:51 AM, shiran guez <shiranp3_at_gmail.com> wrote:
>
>> ttl-security is essentially the opposite of the ebgp-multihop to
>> establish an ebgp neighbor you need to be directly connected or if you are
>> either sevral hops away or if you utilize the a virtual interface such as
>> the loopback you must use the ebgp-multihop to all your router to send a
>> packet out with a grater TTL by doing so allowing the packet to reach
>> the desired neighbor.
>>
>> with ttl-security the router test *incoming* packet to see how many hops
>> away are they and if they are above the ttl you specified it will not
>> establish a neighbor relation with them.
>>
>> So as you can see when you enabled ttl-security you simply prevented from
>> your router to establish a neighbor relation.
>>
>> On Mon, Sep 6, 2010 at 11:45 PM, Edward John <
>> edwardjohn2020_at_googlemail.com> wrote:
>>
>>> Hi,
>>>
>>> Is there a relation between TTL-security in bgp neighbor and
>>> route-selection
>>> from BGP table?
>>> I have an eBGP peering (based on loopback source, where loopback
>>> reachability is using IGP-ISIS).
>>>
>>> If I configure ebgp-multihop I see the routes are chosen best from the
>>> BGP
>>> table. And if I configure ttl-security routes are not chosen and shown
>>> nexthop inaccessible?
>>> In both the case Peer is coming up.
>>>
>>> Setup is as follows:
>>>
>>> PE1 - ASBR1
>>>
>>> ***********PE1 Config**************
>>>
>>> hostname PE1
>>> !
>>> !
>>> key chain ISIS
>>> key 1
>>> key-string CISCO
>>> !
>>> interface Loopback0
>>> ip address 10.1.1.1 255.255.255.255
>>> ip pim sparse-dense-mode
>>> no clns route-cache
>>> !
>>> interface Loopback1
>>> ip address 11.11.11.11 255.255.255.0
>>> no clns route-cache
>>> !
>>> !
>>> interface Serial2/0
>>> dampening 25 500 100 100 restart 120
>>> mtu 17000
>>> no ip address
>>> encapsulation frame-relay
>>> no keepalive
>>> serial restart-delay 0
>>> no frame-relay inverse-arp
>>> !
>>> interface Serial2/0.100 multipoint
>>> ip address 172.16.111.1 255.255.255.0
>>> ip router isis
>>> frame-relay map ip 172.16.111.2 100 broadcast
>>> frame-relay map ip 172.16.111.1 100
>>> frame-relay map clns 100 broadcast
>>> frame-relay interface-dlci 100
>>> no frame-relay inverse-arp
>>> clns mtu 9216
>>> isis circuit-type level-2-only
>>> isis authentication mode md5 level-2
>>> isis authentication key-chain ISIS level-2
>>> isis hello-interval 58 level-2
>>> !
>>> !
>>> router isis
>>> net 48.0000.0002.0002.00
>>> area-password iementor
>>> authentication mode md5 level-2
>>> authentication key-chain ISIS level-2
>>> metric-style wide
>>> no hello padding multi-point
>>> redistribute isis ip level-2 into level-1 distribute-list 100
>>> passive-interface Loopback0
>>> default-information originate
>>> !
>>> !
>>> router bgp 65001
>>> bgp router-id 10.1.1.1
>>> no bgp fast-external-fallover
>>> bgp log-neighbor-changes
>>> neighbor 10.1.1.100 remote-as 100
>>> neighbor 10.1.1.100 ebgp-multihop 2
>>> neighbor 10.1.1.100 update-source Loopback0
>>> neighbor 10.1.1.254 remote-as 65001
>>> neighbor 10.1.1.254 update-source Loopback0
>>> !
>>> address-family ipv4
>>> neighbor 10.1.1.100 activate
>>> neighbor 10.1.1.254 activate
>>> neighbor 140.100.1.2 activate
>>> neighbor 140.100.1.2 filter-list 10 out
>>> no auto-summary
>>> no synchronization
>>> network 11.11.11.0 mask 255.255.255.0
>>> exit-address-family
>>> !
>>> !
>>> ip as-path access-list 10 permit ^$
>>> !
>>> access-list 100 permit ip any any
>>> !
>>> !
>>>
>>> PE1#show ip bgp | include 10.1.1.100
>>> *> 0.0.0.0 10.1.1.100 0 100 200 i
>>> *> 101.101.101.0/24 10.1.1.100 0 0 100 i
>>> r> 172.16.111.0/24 10.1.1.100 0 0 100 i
>>> *> 172.16.113.0/24 10.1.1.100 0 100 200 i
>>> PE1#
>>>
>>>
>>> ***********ASBR1 Config****************
>>> hostname ASBR1
>>> !
>>>
>>> key chain ISIS
>>> key 1
>>> key-string CISCO
>>> !
>>> !
>>> interface Serial1/2
>>> mtu 9216
>>> ip address 172.16.111.2 255.255.255.0
>>> ip router isis
>>> encapsulation frame-relay
>>> no keepalive
>>> serial restart-delay 0
>>> no arp frame-relay
>>> frame-relay map ip 172.16.111.1 100 broadcast
>>> frame-relay map ip 172.16.111.2 100 broadcast
>>> frame-relay map clns 100 broadcast
>>> frame-relay interface-dlci 100
>>> no frame-relay inverse-arp
>>> isis circuit-type level-2-only
>>> isis authentication mode md5 level-2
>>> isis authentication key-chain ISIS level-2
>>> isis hello-interval 58 level-2
>>> no isis hello padding
>>> !
>>> !
>>> router isis
>>> net 48.0000.0100.0100.00
>>> authentication mode md5 level-2
>>> authentication key-chain ISIS level-2
>>> metric-style wide
>>> max-lsp-lifetime 120
>>> lsp-refresh-interval 60
>>> log-adjacency-changes
>>> passive-interface Loopback0
>>> !
>>> router bgp 100
>>> no synchronization
>>> bgp router-id 10.1.1.100
>>> bgp log-neighbor-changes
>>> network 101.101.101.0 mask 255.255.255.0
>>> network 172.16.111.0 mask 255.255.255.0
>>> neighbor 10.1.1.1 remote-as 65001
>>> neighbor 10.1.1.1 ebgp-multihop 2
>>> neighbor 10.1.1.1 update-source Loopback0
>>> neighbor 10.1.1.200 remote-as 200
>>> neighbor 10.1.1.200 disable-connected-check
>>> neighbor 10.1.1.200 update-source Loopback0
>>> neighbor 10.1.1.200 route-map PREPEND out
>>> no auto-summary
>>> !
>>> !
>>> route-map PREPEND permit 10
>>> set as-path prepend 65535
>>> !
>>>
>>>
>>> IF I change to ttl-security instead of ebgp-multihop for the peer between
>>> 10.1.1.100 & 10.1.1.1:
>>>
>>>
>>> *********FROM PE1*********
>>> router bgp 65001
>>> bgp router-id 10.1.1.1
>>> no bgp fast-external-fallover
>>> bgp log-neighbor-changes
>>> neighbor 10.1.1.100 remote-as 100
>>> neighbor 10.1.1.100 ttl-security hops 2
>>> neighbor 10.1.1.100 update-source Loopback0
>>> neighbor 10.1.1.254 remote-as 65001
>>> neighbor 10.1.1.254 update-source Loopback0
>>>
>>> ***********FROM ASBR1**********
>>> !
>>> router bgp 100
>>> no synchronization
>>> bgp router-id 10.1.1.100
>>> bgp log-neighbor-changes
>>> network 101.101.101.0 mask 255.255.255.0
>>> network 172.16.111.0 mask 255.255.255.0
>>> neighbor 10.1.1.1 remote-as 65001
>>> neighbor 10.1.1.1 ttl-security hops 2
>>> neighbor 10.1.1.1 update-source Loopback0
>>> !
>>> PE1#show ip bgp summary
>>> BGP router identifier 10.1.1.1, local AS number 65001
>>> BGP table version is 33, main routing table version 33
>>> 26 network entries using 2938 bytes of memory
>>> 26 path entries using 1352 bytes of memory
>>> 13/10 BGP path/bestpath attribute entries using 1404 bytes of memory
>>> 2 BGP rrinfo entries using 48 bytes of memory
>>> 5 BGP AS-PATH entries using 120 bytes of memory
>>> 0 BGP route-map cache entries using 0 bytes of memory
>>> 10 BGP filter-list cache entries using 120 bytes of memory
>>> BGP using 5982 total bytes of memory
>>> BGP activity 156/130 prefixes, 177/151 paths, scan interval 60 secs
>>>
>>> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
>>> State/PfxRcd
>>> 10.1.1.100 4 100 342 367 33 0 0 00:02:30
>>> 4
>>> 10.1.1.254 4 65001 326 277 33 0 0 00:22:29
>>> 12
>>> 140.100.1.2 4 1540 281 316 33 0 0 00:22:29
>>> 9
>>> *PE1#show ip bgp | include 10.1.1.100*
>>> ** 0.0.0.0 10.1.1.100 0 100 200 i*
>>> ** 101.101.101.0/24 10.1.1.100 0 0 100 i*
>>> ** 172.16.111.0/24 10.1.1.100 0 0 100 i*
>>> ** 172.16.113.0/24 10.1.1.100 0 100 200 i*
>>>
>>> PE1#show ip bgp 101.101.101.0
>>> BGP routing table entry for 101.101.101.0/24, version 0
>>> Paths: (1 available, no best path)
>>> Not advertised to any peer
>>> 100
>>> 10.1.1.100 *(inaccessible)* from 10.1.1.100 (10.1.1.100)
>>> Origin IGP, metric 0, localpref 100, valid, external
>>>
>>>
>>> --
>>>
>>> *Regards,*
>>> *John*
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Shiran Guez
>> MCSE CCNP NCE1 JNCIA-ER CCIE #20572
>> http://cciep3.blogspot.com
>> http://www.linkedin.com/in/cciep3
>> http://twitter.com/cciep3
>>
>
>
>
> --
> Shiran Guez
> MCSE CCNP NCE1 JNCIA-ER CCIE #20572
> http://cciep3.blogspot.com
> http://www.linkedin.com/in/cciep3
> http://twitter.com/cciep3
>

-- 
Shiran Guez
MCSE CCNP NCE1 JNCIA-ER CCIE #20572
http://cciep3.blogspot.com
http://www.linkedin.com/in/cciep3
http://twitter.com/cciep3
Blogs and organic groups at http://www.ccie.net

Received on Tue Sep 07 2010 - 06:25:38 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART