Buy or Renew
Buy or Renew
Cisco Community present at Cisco Live EMEA 2023. See you in Amsterdam! Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
10
Helpful
3
Replies

BGP ttl-security hops and traceroute

Go to solution
Adam Soukup
Beginner
Beginner

‎06-02-2021 05:15 PM

My router is peered to another via BGP. Pings are allowed but traceroute is not. I am trying to implement ttl security hops, but the configuration causes my peers to drop. It doesn't matter if I set the hop count from 1 to 250, same results. Is traceroute traffic required to use this feature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

3 Replies 3

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎06-02-2021 06:50 PM - edited ‎06-03-2021 12:43 PM

Hi @Adam Soukup ,

 

Is traceroute traffic required to use this feature?

 

traceroute is not used or required by this feature.

 

Make sure you configure "neighbor x.x.x.x ttl-security" on both neighbors. If the neighbors are directly connected, you need to use "neighbor x.x.x.x ttl-security hops 1" on both sides.

 

The issue with running the ttl-security only on one side, is that the eBGP neighbor not configured with this feature will send a TTL of 1 by default instead of TTL of 255 when the ttl-security feature is configured. This will cause the neighbor configured with the ttl-security feature to silently drop the packets and the BGP session not to come up.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
Adam Soukup
Beginner
Beginner

‎06-04-2021 02:37 PM

Thank you Harold, perfect explanation. It sounds like I will need to coordinate with peer router owners. Thanks again.

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee
In response to Adam Soukup

‎06-04-2021 02:41 PM

You are very welcome Adam.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents