Saturday, 1 February 2020

BGP peer with indirect link


Lets form as eBGP peer with R5 and R4 with indirect link (Loopback).

R4#sh run | sec router bgp
router bgp 400
 no synchronization
 bgp log-neighbor-changes
 neighbor 150.5.5.5 remote-as 500
 neighbor 150.5.5.5 ebgp-multihop 2
 neighbor 150.5.5.5 update-source Loopback0
 no auto-summary

R5#sh run |  sec router bgp
router bgp 500
 no synchronization
 bgp log-neighbor-changes
 neighbor 150.4.4.4 remote-as 400
 neighbor 150.4.4.4 ebgp-multihop 2
 neighbor 150.4.4.4 update-source Loopback0
 no auto-summary

Here we should use the update source and as well as ebgp multihop command.
Because By default bgp peer try to establish the bgp peer with  the source address that’s is directly connected and with a TTL value 1.
To have indirect ebgp peer we should tell the router for its update source and increase the TTL value.

R5#sh ip bgp ne | in Exter
  External BGP neighbor may be up to 2 hops away.

In this there as an attack on TCP called TCP Reset . so we have a mechanism of protecting with unwanted ebg peer establishment.

Lets configure the ttl security feature between R4 and R5.

R5(config-router)#neighbor 150.4.4.4 ttl-security hops 2
Remove ebgp-multihop before configuring ttl-security

Note: We can have ttl security or ebg-multi hop one command at a time not both together. So lets remove the ebg multihop command.

R5(config-router)# neighbor 150.4.4.4 ttl-security hops 2

R4(config-router)# neighbor 150.5.5.5 ttl-security hops 2

R5#sh ip bgp ne | in Ext|Min
  External BGP neighbor may be up to 2 hops away.
Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255

Like this form ebgp peer with R6 - R1, R3 - R5, R3 - R4 and R4 - R5.

No comments:

Post a Comment