642-832 TSHOOT Test Tips - Layer 3 BGP Issue

I was posting before a link to my blog about the shoot tips, but since we can't type link, but I still like to help others I'm going to keep posting my blog but at the same time copy my post in my favor forum to help and others. If you see anything else that I should add (BGP is big, so I'm just posting small portion of BGP for just the shoot purpose) feel free to post a reply here since, I'm still learning. Thanks

BGP ISSUES

Issues Peering your neighbor router

3. Since TTL for BGP is 1 if you want peer to a router that is not one hop away, you will need to use the Multihop command
2. Access List blocking TCP 179 - sh access-list
3. Routers have to have ip reachability (Rip, EIGRP, Static Route….) if the router is not directly connect to be able to establish peering - sh ip routing

BGP peers must agree on the following attribute

1. Peer Address
2. Unique RID (Router ID - loop interface)
3. ASN (autonomous system number)

Important command to know
1. Authentication
2. show ip route
3. show ip bgp summary

Find more posts tagged with

Comments

networker050184

I'd clarify some of those a bit. Will show ip routing command work? Is the TTL for BGP always 1? Authentication isn't a command by itself.

amb1s1

networker050184 wrote: »

I'd clarify some of those a bit. Will show ip routing command work? Is the TTL for BGP always 1? Authentication isn't a command by itself.

sh ip routing - Typo
Is the TTL for BGP always 1 - I have to take a look at that, but I thought it is 1 unless if you use multi hop - correct me if Im wrong.

Authentication - I don't how that word got in there - It was suppose to be show ip bgp neighbors. Thanks for letting me know

EdTheLad

amb1s1 wrote: »

Is the TTL for BGP always 1 - I have to take a look at that, but I thought it is 1 unless if you use multi hop - correct me if Im wrong.

The TTL is set to 1 for eBGP neighbors, iBGP gets a default TTL of 255.So multihop is only required for eBGP neighbors.

TesseracT

There is also another command you can use instead of ebgp-multihop...

You can also use the ttl security command to modify the TTL

router bgp 100
neighor 1.1.1.1 ttl-security hops 1

By default eBGP routes have a TTL of 1. This is so they only accept routes from directly connected peers. Hackers can easily change packets to have a TTL of 1, or to know how many hops are in-between so set the TTL to 7 for example if there are 6 hops an attack can still occur.

TTL Security changes this process so that the TTL is set to 255-n, where in is the hop count you set it to.

If a hacker changes the TTL to 255 the routers along the path are forced to deprecate by 1 so it’s harder to hack.

So for example say you have a group of routers that are up to 10 hops away. You can set the TTL Security to 10. 255-10 = 245. So your router will accept any peers that have a TTL of 245 or higher, or in other words are up to 10 hops away.

· Only for eBGP peers, not for iBGP
· This has to be configured on both sides. As the TTL security router will have the TTL set accept 245 or above and the other router may have a TTL of 1
[FONT=&quot]o [/FONT]What you could do here though to be fancy is use ebgp-multihop and set the TTL to 246, this should work.

Don't think that this one is in the CCNP though