Using eBGP Multihop
Problem
You want to use BGP to exchange routes with an external peer router that is more than one hop away because the router at the edge of the network doesn't support BGP.
Solution
Cisco provides a useful option called eBGP Multihop, which allows you to establish eBGP peer relationships between routers that aren't directly connected to one another:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip route 172.20.1.2 255.255.255.255 192.168.1.5 2 Router1(config)#router bgp 65500 Router1(config-router)#neighbor 172.20.1.2 remote-as 65530 Router1(config-router)#neighbor 172.20.1.2 update-source Loopback0 Router1(config-router)#neighbor 172.20.1.2 ebgp-multihop 3 Router1(config-router)#exit Router1(config)#end Router1#
Discussion
In this example, we have shown the configuration for only one of the routers, although you will need to configure the ebgp-multihop keyword for the corresponding peer device as well.
This feature isn't a standard part of the BGP protocol, but several router vendors implement it. The standard behavior requires eBGP routers to be adjacent to one another.
You might want to use this feature, for example, if the router at the edge of either your AS or the AS you are connecting to doesn't support BGP. The router will also need to have a route to the destination device because it is not directly connected. We have included a static route for this purpose.
The ebgp-multihop keyword takes an optional argument, which can be any integer between 1 and 255. This represents the maximum number of hops between this router and the neighbor, which is used in the TTL field of the IP packet when establishing the peer connection. If you don't specify ebgp-multihop, the router will assume that the peers are adjacent and use a TTL value of 1. However, if you specify this keyword without an argument, the router will default to a TTL value of 255.
Note that you can cause some seriously strange routing problems by using a high TTL value with this option. Suppose you have two ISPs, and your connection to one of them becomes unavailable. The routers could discover another path to one another, and re-establish their BGP peer relationship through the second ISP. This would cause extremely inefficient routing. You can avoid this problem by using static host routes, directing traffic for each peer router through the correct circuit.
In general, we recommend using the lowest possible value that still reaches the destination. However, RFC 3682 describes another extremely interesting way of using this feature to improve security. The idea is that the only way that a packet can reach its destination with a TTL value of 254 or 255 is if the source is adjacent to the destination. If a more distant device were to attempt a BGP spoofing attack, the packets would arrive with a lower TTL value unless the attacker was also on a physically adjacent network.
So this reference suggests deliberately configuring your routers to use the highest possible TTL value. Then the routers would check the TTL value and discard any BGP packets with a TTL of less than 254. Cisco implemented this feature in IOS Version 12.3(7)T:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#router bgp 65500 Router1(config-router)#neighbor 192.168.55.5 remote-as 65501 Router1(config-router)#neighbor 192.168.55.5 ttl-security hops 1 Router1(config-router)#exit Router1(config)#end Router1#
If the peer device is running an older IOS that doesn't support this feature and is an eBGP peer, you can simply use the ebgp-multihop command to specify an initial TTL of 255:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#router bgp 65501 Router2(config-router)#bgp log-neighbor-changes Router2(config-router)#neighbor 192.168.55.6 remote-as 65500 Router2(config-router)#neighbor 192.168.55.6 ebgp-multihop 255 Router2(config-router)#exit Router2(config)#end Router2#
However, you cannot configure the ttl-security option for one peer and use the ebgp-multihop option for this same peer:
Router1(config)#router bgp 65500 Router1(config-router)#neighbor 192.168.100.1 ebgp-multihop 1 Remove ttl-security before configuring ebgp-multihop Router1(config-router)#
You can also configure ttl-security for iBGP peers:
Router1(config)#router bgp 65500 Router1(config-router)#neighbor 192.168.100.2 remote-as 65500 Router1(config-router)#neighbor 192.168.100.2 ttl-security hops 1
However, while this is a useful feature, it is still not as secure as using MD5 authentication to secure your BGP peers. We discuss this method in Recipe 9.16.
See Also
Recipe 9.16; RFC 3682 by V. Gill et al., February 2004