BGP TTL-security hops

Unanswered Question
Nov 16th, 2009
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi guys

i have a strange issue

when i confugre to bgp hops like bellow


lo0--R1--OSPF--R2--OSPF--R3--lo0

R1-----------EBGP--------R3


i used the command ttl-security hops 3 on both sides

the bgp session is and established

the loopbacks advertised in bgp apear in the BGP routing table

BUT

dose not apear in the routing table

in bgp routing table it says that next hope inaceesable

however the next is accessable

becuase i can ping, sse it inospf routing

and the peering is up as well

same case with ebgp multihops works


by the way the peering between the EBGP peers through tier loopbacks address


any idea !!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Mon, 11/16/2009 - 03:05
User Badges:
  • Gold, 750 points or more

Hi,


I dont understand..


whats the real problem here? The BGP nexthop or some thing else? If the Nexthop is not in the routing table, then it would be inaccessible in the BGP table (Normal)


The TTL of 3 shouldnt affect your BGP neighbor relationship establishment.



HTH

Mohamed

Marwan ALshawi Mon, 11/16/2009 - 04:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi Mohamed

the lo0 of both bgp peers advertised thorugh ospf

and reachable through the IGP

but there are som other lo interfaces advertised thorugh bgp

its shown in the bgp table but as not advertised

and showing the next hope ( the other peer lo0) as inaccessable


i would say without ttl 3 no peer will be established as t is not directlyu connected EBGP peers

as i mentioned this topolog works fine if i use ebgp-multihope command instead of ttl security


is it more clear now

i found it strange

Giuseppe Larosa Mon, 11/16/2009 - 07:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marwan,

the TTL security mechanism should tell what is the expected TTL on received BGP packet from peer to consider it valid.


see


http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_neighor_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054684


I think you should use both commands if these are eBGP sessions


Hope to help

Giuseppe







Marwan ALshawi Mon, 11/16/2009 - 14:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

hi Gusseppe

according to this linke which i seen it before

The neighbor ebgp-multihop command is not needed when this feature is configured for a multihop neighbor session and should be disabled before configuring this feature


so we can NOT use both of them

try it

when you have ebgp-multi

and you enter the ttl command it will give error messege tell you you can't have both of them !!!


thats why i found it strange becuase in term of TTL in and out all good thats why i got my peering seesion up

but why it tells next hop in accessable

i still wonderring


anyway thank you for your time

Giuseppe Larosa Mon, 11/16/2009 - 23:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marwan,

I've realized later I had suggested a wrong idea.


you should verify if:

the BGP next-hop of routes is known in routing table.

this is the standard check and this has to be there.


I wonder what additional checks can be done enabling ttl-security on BGP next-hop.


looking for the number of route-hops to next-hop would require a traceroute and it is unlikely.


Hope to help

Giuseppe


Actions

This Discussion