Tuesday, October 11, 2011

LAB: BGP TTL Security

- Configure R3 to accept TCP packets from eBGP peers only if they are no more than one hop away.

In order to configure the TTL security checks for a BGP peer use the command
 
neighbor <IP> ttl-security hops <hop-count>. 

This command applies to eBGP peering sessions only (either directly-connected or multihop) and specifies the number of hops the remote peer could be away from the local speaker. Keep in mind the internal BGP sessions are not protected, and therefore the internal network assumed to be “trusted”. All packets incoming TCP packets targeted at BGP port with the IP TTL value below (255 - <hop-count>) are silently discarded by the router. In addition, the feature sets TTL value for outgoing TCP/IP packets to 255-<hop-count> to make sure the remote peer will accept the local packets. The GTSM feature is mutually exclusive with the ebgpmultihop BGP feature. This is because the eBGP session by default sets TTL=1 in the outgoing IP packets and with the multihop <n> session parameter, the TTL value is set to <n>, which is not compatible with GTSM Therefore, make sure you configured GTSM feature on both sides of the peering link.

configuration:

R1:
router bgp 100
neighbor 155.1.13.3 ttl-security hops 1
R3:
router bgp 200
neighbor 155.1.13.1 ttl-security hops 1
neighbor 155.1.37.7 ttl-security hops 1
SW1:
router bgp 300
neighbor 155.1.37.3 ttl-security hops 1

No comments:

Post a Comment