Name
neighbor ttl-security — BGP
Synopsis
neighbor ip ttl-security hopshop-count
no neighbor ip ttl-security hopshop-count
Configures
Maximum TTL count for eBGP peers
Default
Disabled
Description
This command enables BGP TTL checking for neighbors. This command is only used on external BGP (eBGP) neighbors. It provides a simple security mechanism for protecting your eBGP routers from possible hijacking attempts. By enabling this feature, only packets with TTL counts that are equal to or higher than the given value are accepted as valid packets. (It is generally considered impossible to forge TTL counts without access to the source or destination network.) If the packet’s TTL value is less than this value, the router discards the packet without generating any ICMP messages. The idea is that we don’t want to generate any error messages that might be sent back to a possible hacker.
Get Cisco IOS in a Nutshell, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.