для Cisco Cisco IOS Software Release 12.2(27)SBC
BGP Support for TTL Security Check
Prerequisites for BGP Support for TTL Security Check
2
Cisco IOS Release: Multiple releases (see the Feature History table)
•
•
•
•
•
Prerequisites for BGP Support for TTL Security Check
•
BGP must be configured in your network and eBGP peering sessions must be established.
•
This feature needs to be configured on each participating router. It protects the eBGP peering session
in the incoming direction only and has no effect on outgoing IP packets or the remote router.
in the incoming direction only and has no effect on outgoing IP packets or the remote router.
Restrictions for BGP Support for TTL Security Check
•
This feature is designed to protect only eBGP peering sessions and is not supported for internal BGP
(iBGP) peers and iBGP peer groups.
(iBGP) peers and iBGP peer groups.
•
When configuring the BGP Support for TTL Security Check feature to support an existing multihop
peering session, you must first disable the neighbor ebgp-multihop router configuration command
by entering the no neighbor ebgp-multihop command before configuring this feature with the
neighbor ttl-security router configuration command. These commands are mutually exclusive, and
only one command is required to establish a multihop peering session. If you attempt to configure
both commands for the same peering session, an error message will be displayed in the console.
peering session, you must first disable the neighbor ebgp-multihop router configuration command
by entering the no neighbor ebgp-multihop command before configuring this feature with the
neighbor ttl-security router configuration command. These commands are mutually exclusive, and
only one command is required to establish a multihop peering session. If you attempt to configure
both commands for the same peering session, an error message will be displayed in the console.
•
The effectiveness of this feature is reduced in large-diameter multihop peerings. In the event of a
CPU utilization-based attack against a BGP router that is configured for large-diameter peering, you
may still need to shut down the affected peering sessions to handle the attack.
CPU utilization-based attack against a BGP router that is configured for large-diameter peering, you
may still need to shut down the affected peering sessions to handle the attack.
•
This feature is not effective against attacks from a peer that has been compromised inside your
network. This restriction also includes BGP peers that are not part of the local or external BGP
network but are connected to the network segment between the BGP peers (for example, a switch or
hub that is used to connect the local and external BGP networks).
network. This restriction also includes BGP peers that are not part of the local or external BGP
network but are connected to the network segment between the BGP peers (for example, a switch or
hub that is used to connect the local and external BGP networks).
•
This feature does not protect the integrity of data sent between eBGP peers and does not validate
eBGP peers through any authentication method. This feature validates only the locally configured
TTL count against the TTL field in the IP packet header.
eBGP peers through any authentication method. This feature validates only the locally configured
TTL count against the TTL field in the IP packet header.
Information About BGP Support for TTL Security Check
To configure the BGP Support for TTL Security Check feature, you must understand the following
concepts:
concepts:
•
•
•
•