Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
10
Helpful
3
Replies

BGP ttl-security hops and traceroute

Go to solution
Adam Soukup
Level 1
Level 1

‎06-02-2021 05:15 PM

My router is peered to another via BGP. Pings are allowed but traceroute is not. I am trying to implement ttl security hops, but the configuration causes my peers to drop. It doesn't matter if I set the hop count from 1 to 250, same results. Is traceroute traffic required to use this feature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

3 Replies 3

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
Adam Soukup
Level 1
Level 1

‎06-04-2021 02:37 PM

Thank you Harold, perfect explanation. It sounds like I will need to coordinate with peer router owners. Thanks again.

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to Adam Soukup

‎06-04-2021 02:41 PM

You are very welcome Adam.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card