Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Roadmap, BGP ttl-security

Hi All

I would like to know when LAN switches 3750ME and 3550 start to support BGP neighbor ttl-security feature.

Thank you, Susanne

1 REPLY
Anonymous
N/A

Re: Roadmap, BGP ttl-security

BGP TTL Security Check is new BGP functionality that provides better protection against BGP session spoofing.

This features enables checking of ttl values on bgp packets from peers. Also, when this feature is configured, all TCP packets from BGP will be sent out with a ttl value of 255. All incoming TCP packets for BGP will be checked for a ttl value that is greater than or equal to the configured incoming-ttl value.

For most cases, since the peer is just one hop away, the incoming-ttl value will be configured as 254. If the EBGP peer is multiple hops away, then the incoming-ttl value should be configured to allow all required paths between the two peers.

Configuration:

Enable the BTSH feature via

[no] neighbor x.x.x.x incoming-ttl

can be in range 0-255.

The should represent the lower bound on the ttl value expected from the peer. In the case of

peers that are directly connected, the value would be 254. In the EBGP multihop case, the should

accomodate all required paths to the peer. Also, note that ebgp multihop and incoming-ttl are mutually exclusive features. Only one of them may be configured for each neighbor.

You can use this image c3550-i9q3l2-mz.122-25.SEA.bin in 3550 switch which supports the BGP ttl-security

233
Views
0
Helpful
1
Replies