North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

BGP TTL Security

  • From: Ben Butler
  • Date: Thu Feb 14 13:31:23 2008


I am trying to implement BGP TTL security between one of my routers and
an eBGP peer that  is one hop away over a layer 2 IX.

As soon as I add:

neighbor ttl-security hops 2
neighbor ttl-security hops 1

The peer drops to active/open sent with entries in syslog for hold time

I have validated via trace in both directions as being 1 hop.

I have read another article that implies the default behaviour at the
other end will to be send TTL 1 not 255 and consequently I need to
configure both ends to get the session to 
come back up.  An access list reveals all the packets I am receiving
have a TTL of 0.

The session re-establishes if I configure:

neighbor ttl-security hops >=192

<=191 and the session stays down.

Which is proper bizarre!

Is it necessary to configure this on both side for the session to
re-establish.  Is this a Cisco bug?

Kind Regards

Ben Butler
C2 Internet Ltd
Globe House, The Gullet, Nantwich, Cheshire, CW5 5RL

E  mailto:[email protected]
T  +44-(0)845-658-0020
F  +44-(0)845-658-0070

All quotes & services from C2 are bound by our standard
terms and conditions which are available on our website at:

C2 Internet Limited is a company registered in England and
Wales with company number 03910154

Our VAT Registration number is GB 752 7650 17