03-07-2014 09:06 PM - edited 03-04-2019 10:32 PM
Hi,
Currently I am using ebgp multihop & plan to use Time to Live Security Check feature, but below are my qyery
Exisiting config
neighbor *** ebgp-multihop 10
Show ip bgp output
Connections established 3; dropped 2
Last reset 6w0d, due to Admin. shutdown
External BGP neighbor may be up to 10 hops away.
Query
1) What ttl value we need to put (10 or 245 in the config)
2) this feature limited to cisco or it is supporting Juniper( remote end EBGP speaker) -- pls confirm as per my understnading it not support Juniper
3) This feature will be having any problem if my intermediate non-BGP router towards my ISP is not having Cisco-- pls confirm as per my understnading it should
4) If I use this feature, will I get multihop feature as complimentary -- pls confirm as per my understnading it should
5) What are the major benefit for this
Br/
03-08-2014 10:14 AM
Hi,
1) The parameter on the "neighbor ttl-security hops
http://www.cisco.com/c/en/us/td/docs/ios/12_2s/feature/guide/fs_btsh.html#wp1027258
2) Although it is not as straightforward in JUNOS, it looks like GTSM (RFC5082) is nevertheless supported.
3) The intermediary routers simply need to support IP forwarding.
4) Yes. The "neighbor tt-security" and "neighbor ebgp-multihop" are mutually exclusive.
5) This is normally used for neighbors that are directly connected. It insures that BGP control messages arrive at the target router with a TTL of 255, which prevents remote routers to connect to it.
Regards
03-08-2014 10:50 PM
Wow, I just wrote for this a lot and when I hit save just timeout. NO WAY!!!
1) What ttl value we need to put (10 or 245 in the config)
A/ 10 is the answer.It will always be how many hops away from the eBGP peer you are.
2) this feature limited to cisco or it is supporting Juniper( remote end EBGP speaker) -- pls confirm as per my understnading it not support Juniper
A/
It is supported on Junos as well (U will need to run a regular input filter and apply it to one of ur loopbacks interfaces so it gets applied down to the control plane of the Junos Box
(Note that the command used for this kind of protection is ttl-except if I am not mistaking).
As an interesting note, this is an unidirectional feature so there is not a requirement to have it set on the other side. I mean u can have EBGP multihop on one side and this TTL security check on the other.
3) This feature will be having any problem if my intermediate non-BGP router towards my ISP is not having Cisco-- pls confirm as per my understnading it should
A/Not at all, no need for the routers in between even BGP aware.
4) If I use this feature, will I get multihop feature as complimentary -- pls confirm as per my understnading it should
No, you will need to disable EBGP multihop. U will get something like "Remove ebgp-multihop before configuring ttl-security"
Remember that the whole idea of this feature is to protect your Core Edge router control-plane from packets that have been modified by an attacker in order to appear directly connected or whatever its needed.
5) What are the major benefit for this
A/ Higher protection to your Core Router Control-Plane.
Hope that I could help
Jcarvaja
http://laguiadelnetworking.com
03-09-2014 12:40 AM
Hi,
Pls confirm if I enable ttl security, I need to disbale ebgp-multihop,as presently I am using ebgp-multihop -- how to do this
Means, If i enable tt, will I get the same facility like ebgp-multihop+ ttl sec feature or not
if not-- then How can I solve ebgp-multihop as ISP router is not directly connected with our router ( intermediate hop is presnet)
Br/Subhojhit
03-09-2014 06:11 PM
Hello,
You will need to disable ebgp-multihop in order to use TTL-Security.
TTL-Security is more stronger than eBGP-multihop so yes u can disable that and enable TTL-Security while accomplising the same result of establishing the eBGP session but being more secure.
Regards,
Remember to rate all of the posts
Jcarvaja
03-10-2014 08:58 PM
Hi,
So we need to enable this feature in both the Router ( Customer end & ISP end)
What happen if we enable (ttl feature) only on Cleint side & ISP side is having ebgp-multihop
Will ttl feature work in incoming direction ?
Any performance issue can happen ?
Br/Subhojit
03-10-2014 11:13 AM
Any other question?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide