取消
显示结果 
搜索替代 
您的意思是: 
cancel
1447
查看次数
10
有帮助
3
回复

BGP ttl-security hops and traceroute

Adam Soukup
Level 1
Level 1

My router is peered to another via BGP. Pings are allowed but traceroute is not. I am trying to implement ttl security hops, but the configuration causes my peers to drop. It doesn't matter if I set the hop count from 1 to 250, same results. Is traceroute traffic required to use this feature?

1 个已接受解答

已接受的解答

Harold Ritter
Spotlight
Spotlight

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

在原帖中查看解决方案

3 条回复3

Harold Ritter
Spotlight
Spotlight

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Adam Soukup
Level 1
Level 1

Thank you Harold, perfect explanation. It sounds like I will need to coordinate with peer router owners. Thanks again.

You are very welcome Adam.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)
Review Cisco Networking for a $25 gift card