1) The parameter on the "neighbor ttl-security hops " is the number of hops not the TTL. The number for a directly connected neighbor would be 1. Please refer to the documentation for more information.
Wow, I just wrote for this a lot and when I hit save just timeout. NO WAY!!!
1) What ttl value we need to put (10 or 245 in the config)
A/ 10 is the answer.It will always be how many hops away from the eBGP peer you are.
2) this feature limited to cisco or it is supporting Juniper( remote end EBGP speaker) -- pls confirm as per my understnading it not support Juniper
It is supported on Junos as well (U will need to run a regular input filter and apply it to one of ur loopbacks interfaces so it gets applied down to the control plane of the Junos Box
(Note that the command used for this kind of protection is ttl-except if I am not mistaking).
As an interesting note, this is an unidirectional feature so there is not a requirement to have it set on the other side. I mean u can have EBGP multihop on one side and this TTL security check on the other.
3) This feature will be having any problem if my intermediate non-BGP router towards my ISP is not having Cisco-- pls confirm as per my understnading it should
A/Not at all, no need for the routers in between even BGP aware.
4) If I use this feature, will I get multihop feature as complimentary -- pls confirm as per my understnading it should
No, you will need to disable EBGP multihop. U will get something like "Remove ebgp-multihop before configuring ttl-security"
Remember that the whole idea of this feature is to protect your Core Edge router control-plane from packets that have been modified by an attacker in order to appear directly connected or whatever its needed.
5) What are the major benefit for this
A/ Higher protection to your Core Router Control-Plane.
Hope that I could help
Looking for some Networking Assistance?
Contact me directly at email@example.com
I will fix your problem ASAP.
Julio Carvajal Segura
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...