BGP route-reflector-client

Posted by Shahid on Friday 6 November 2009
Labels: / Comments: (0)
BGP requires that all internal BGP speakers are fully meshed. To reduce the size of the mesh, BGP speakers can be configure as route reflectors. Route reflectors pass internal learned routes to a set of internal BGP neighbors. When route reflectors clients are configured, the route-reflector is responsible for distributing internal BGP routes to other internal BGP neighbors.
Use the neighbor route-reflector-client command to identify the

Following is an example,
Here Hub router is configured as Multipoint and having two spokes R2 & R4. Where R2 is connecting with R6 and establishing EBGP peer relationship. In order to advertise routes originated by R2 to other peer as R3, the Hub router is reflecter and R2 is configured as Route-reflector-client.
HUB#show run s bgp
router bgp 200
no synchronization
bgp cluster-id 11.11.11.11
bgp log-neighbor-changes
neighbor 172.16.13.3 remote-as 200
neighbor 172.16.13.3 route-reflector-client
neighbor 172.16.124.2 remote-as 200
neighbor 172.16.124.2 route-reflector-client
neighbor 172.16.124.4 remote-as 200
no auto-summary

BGP ttl-security

Posted by Shahid on Monday 2 November 2009
Labels: / Comments: (0)
The BGP Support for TTL Security Check feature is a lightweight security mechanism to protect (eBGP) peering sessions from CPU utilization-based attacks using forged IP packets. Enabling this feature prevents attempts to hijack the eBGP peering session by a host on a network segment that is not part of either BGP network or by a host on a network segment that is not between the eBGP peers.

This feature is enabled by configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific eBGP peer. When this feature is enabled, BGP will establish and maintain the session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. If the value is less than the configured value, the packet is silently discarded and no Internet Control Message Protocol (ICMP) message is generated.

Configuration Example:

On R1:

R1(config)#router bgp 100
R1(config-router)#neighbor 172.16.0.1 ttl-security hops 5

Now R1 wills silently drop the packet because TTL value in the incoming packet should be 250 or greater.

On the other side neighbor we can configure ebgp-multihop to 250 or to ebgp-multihop which will set the default value to 255.

If we have frame-relay hub and spoke network then we have to configure the TTL value including additional hops also as traffic will go through hub router.