Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1590
Views
10
Helpful
3
Replies

BGP ttl-security hops and traceroute

Go to solution
Adam Soukup
Level 1
Level 1

‎06-02-2021 05:15 PM

My router is peered to another via BGP. Pings are allowed but traceroute is not. I am trying to implement ttl security hops, but the configuration causes my peers to drop. It doesn't matter if I set the hop count from 1 to 250, same results. Is traceroute traffic required to use this feature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Spotlight
Spotlight

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

3 Replies 3

Go to solution
Harold Ritter
Spotlight
Spotlight

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Go to solution
Adam Soukup
Level 1
Level 1

‎06-04-2021 02:37 PM

Thank you Harold, perfect explanation. It sounds like I will need to coordinate with peer router owners. Thanks again.

0 Helpful

Go to solution
Harold Ritter
Spotlight
Spotlight
In response to Adam Soukup

‎06-04-2021 02:41 PM

You are very welcome Adam.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)
0 Helpful
Customers Also Viewed These Support Documents