Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BGP Time to Live Security Check

                   Hi,

Currently I am using ebgp multihop & plan to use Time to Live Security Check feature, but below are my qyery

Exisiting config

neighbor *** ebgp-multihop 10

Show ip bgp output

  Connections established 3; dropped 2

  Last reset 6w0d, due to Admin. shutdown

  External BGP neighbor may be up to 10 hops away.

Query

1) What ttl value we need to put (10 or 245 in the config)

2) this feature limited to cisco or it is supporting Juniper( remote end EBGP speaker) -- pls confirm as per my understnading it not support Juniper

3) This feature will be having any problem if my intermediate non-BGP router towards my ISP is not having Cisco-- pls confirm as per my understnading it should

4) If I use this feature, will I get multihop feature as complimentary -- pls confirm as per my understnading it should

5) What are the major benefit for this

Br/

  • WAN Routing and Switching
6 REPLIES
Cisco Employee

BGP Time to Live Security Check

Hi,

1) The parameter on the "neighbor ttl-security hops " is the number of hops not the TTL. The number for a directly connected neighbor would be 1. Please refer to the documentation for more information.

http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fs_btsh.html#wp1027258

2) Although it is not as straightforward in JUNOS, it looks like GTSM (RFC5082) is nevertheless supported.

3) The intermediary routers simply need to support IP forwarding.

4) Yes. The "neighbor tt-security" and "neighbor ebgp-multihop" are mutually exclusive.

5) This is normally used for neighbors that are directly connected. It insures that BGP control messages arrive at the target router with a TTL of 255, which prevents remote routers to connect to it.

Regards

Wow, I just wrote for this a

Wow, I just wrote for this a lot and when I hit save just timeout. NO WAY!!!

 

 

1) What ttl value we need to put (10 or 245 in the config)

 

A/ 10 is the answer.It will always be how many hops away from the eBGP peer you are.

 

2) this feature limited to cisco or it is supporting Juniper( remote end EBGP speaker) -- pls confirm as per my understnading it not support Juniper

 

A/

It is supported on Junos as well (U will need to run a regular input filter and apply it to one of ur loopbacks interfaces so it gets applied down to the control plane of the Junos Box

(Note that the command used for this kind of protection is ttl-except if I am not mistaking).

 

As an interesting note, this is an unidirectional feature so there is not a requirement to have it set on the other side. I mean u can have EBGP multihop on one side and this TTL security check on the other.

 

3) This feature will be having any problem if my intermediate non-BGP router towards my ISP is not having Cisco-- pls confirm as per my understnading it should

A/Not at all, no need for the routers in between even BGP aware.

4) If I use this feature, will I get multihop feature as complimentary -- pls confirm as per my understnading it should

 

No, you will need to disable EBGP multihop. U will get something like "Remove ebgp-multihop before configuring ttl-security"

 

Remember that the whole idea of this feature is to protect your Core Edge router control-plane from packets that have been modified by an attacker in order to appear directly connected or whatever its needed.

 

5) What are the major benefit for this

A/ Higher protection to your Core Router Control-Plane.

 

Hope that I could help

 

Jcarvaja

 

http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Hi, Pls confirm if I enable

Hi,

 

Pls confirm if I enable ttl security, I need to disbale ebgp-multihop,as presently I am using ebgp-multihop -- how to do this

 

Means, If i enable tt, will I get the same facility like ebgp-multihop+ ttl sec feature or not

 

if not-- then How can I solve ebgp-multihop as ISP router is not directly connected with our router ( intermediate hop is presnet)

 

Br/Subhojhit

Hello, You will need to

Hello,

 

You will need to disable ebgp-multihop in order to use TTL-Security.

TTL-Security is more stronger than eBGP-multihop so yes u can disable that and enable TTL-Security while accomplising the same result of establishing the eBGP session but being more secure.

 

Regards,

Remember to rate all of the posts

Jcarvaja

 

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Hi, So we need to enable this

Hi,

 

So we need to enable this feature in both the Router ( Customer end & ISP end)

What happen if we enable (ttl feature) only on Cleint side & ISP side is having ebgp-multihop

 

Will ttl feature work in incoming direction ?

 

Any performance issue can happen ?

 

Br/Subhojit

Any other question?

Any other question?

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
317
Views
0
Helpful
6
Replies