cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1262
Views
0
Helpful
5
Replies

BGP TTL-security hops

Marwan ALshawi
VIP Alumni
VIP Alumni

hi guys

i have a strange issue

when i confugre to bgp hops like bellow

lo0--R1--OSPF--R2--OSPF--R3--lo0

R1-----------EBGP--------R3

i used the command ttl-security hops 3 on both sides

the bgp session is and established

the loopbacks advertised in bgp apear in the BGP routing table

BUT

dose not apear in the routing table

in bgp routing table it says that next hope inaceesable

however the next is accessable

becuase i can ping, sse it inospf routing

and the peering is up as well

same case with ebgp multihops works

by the way the peering between the EBGP peers through tier loopbacks address

any idea !!

5 Replies 5

Mohamed Sobair
Level 7
Level 7

Hi,

I dont understand..

whats the real problem here? The BGP nexthop or some thing else? If the Nexthop is not in the routing table, then it would be inaccessible in the BGP table (Normal)

The TTL of 3 shouldnt affect your BGP neighbor relationship establishment.

HTH

Mohamed

hi Mohamed

the lo0 of both bgp peers advertised thorugh ospf

and reachable through the IGP

but there are som other lo interfaces advertised thorugh bgp

its shown in the bgp table but as not advertised

and showing the next hope ( the other peer lo0) as inaccessable

i would say without ttl 3 no peer will be established as t is not directlyu connected EBGP peers

as i mentioned this topolog works fine if i use ebgp-multihope command instead of ttl security

is it more clear now

i found it strange

Hello Marwan,

the TTL security mechanism should tell what is the expected TTL on received BGP packet from peer to consider it valid.

see

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bgp_neighor_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054684

I think you should use both commands if these are eBGP sessions

Hope to help

Giuseppe

hi Gusseppe

according to this linke which i seen it before

The neighbor ebgp-multihop command is not needed when this feature is configured for a multihop neighbor session and should be disabled before configuring this feature

so we can NOT use both of them

try it

when you have ebgp-multi

and you enter the ttl command it will give error messege tell you you can't have both of them !!!

thats why i found it strange becuase in term of TTL in and out all good thats why i got my peering seesion up

but why it tells next hop in accessable

i still wonderring

anyway thank you for your time

Hello Marwan,

I've realized later I had suggested a wrong idea.

you should verify if:

the BGP next-hop of routes is known in routing table.

this is the standard check and this has to be there.

I wonder what additional checks can be done enabling ttl-security on BGP next-hop.

looking for the number of route-hops to next-hop would require a traceroute and it is unlikely.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card