Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
2
Replies

BGP TTL Security and Outgoing IP Packets

sarahanand
Level 1
Level 1

‎12-24-2018 05:10 AM

Hi All,

 

I have a doubt regarding the BGP TTL security feature. Cisco docs state that enabling ttl security for eBGP sessions has no effect on the outgoing IP packets but at the same time they also mention that the feature needs to be enabled on both routers. The requirement that this feature needs to be enabled on the remote router as well leads me to believe that this feature does have an effect on the outgoing IP packets because the neighbor x.x.x.x ttl-security hops x command results in the router generating IP packets with the TTL value set to 255 . Without this command, the outgoing IP packets are sent with the TTL set to 1.

 

From the docs:

 

This feature should be configured on each participating router. It secures the BGP session in the incoming direction only and has no effect on outgoing IP packets or the remote router.

 

Seems like the two statement above are contradicting each other. Moreover, the docs only mention that the command should be configured on both ends, but doesn't mention reason why. I’m probably missing something here. Any inputs appreciated.

Thanks

Sarah

 

Labels:
0 Helpful
2 Replies 2

tnakov
Level 1
Level 1

‎12-24-2018 07:59 AM

Hi Sarah,

I don`t think you need to have the  TTL security configured on both sides. But if you have a multihop session, on the remote router you should still use  "neighbor ebgp-multihop". From the following document you can see that the feature is is more effective when it is configured on both sides 

 

"To maximize the effectiveness of this feature, we recommend that you configure it on each participating router"

https://www.cisco.com/c/en/us/td/docs/ios/12_2sx/feature/guide/fsxebtsh.pdf

0 Helpful

Meheretab Mengistu
Level 7
Level 7

‎12-24-2018 11:26 PM

Hi Sarah,

 

@sarahanand wrote:

Cisco docs state that enabling ttl security for eBGP sessions has no effect on the outgoing IP packets but at the same time they also mention that the feature needs to be enabled on both routers.

.....

Moreover, the docs only mention that the command should be configured on both ends, but doesn't mention reason why. I’m probably missing something here. Any inputs appreciated.

Thanks

Sarah

 

You need to configure ttl-security on both routers; WHY?

 

Let's assume we have four routers:  RouterA <--> RouterB <--> RouterC <--> RouterD, and we want to create ebgp peering between RouterA and RouterD.

 

If you configure neighbor x.x.x.x ttl-security hops 3 on one end (RouterA) and you do not configure it on the other end (RouterD), then the two routers will never become ebgp peers. The first packet from RouterD will be dropped on RouterC with TTL-expired on transit message (assuming you configure neighbor y.y.y.y disable-connected-check on RouterD). 

There are two solutions for the above problem:-

1) To configure neighbor y.y.y.y ttl-security hops 3  on RouterD. 

2) The second alternative is to configure neighbor y.y.y.y ebgp-multihop 255 on RouterD. Remember that this solution will not secure the BGP session in the incoming direction, and, as a result, is not a good alternative.

 

HTH,

Meheretab

HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents