Using eBGP Multihop


You want to use BGP to exchange routes with an external peer router that is more than one hop away because the router at the edge of the network doesn't support BGP.


Cisco provides a useful option called eBGP Multihop, which allows you to establish eBGP peer relationships between routers that aren't directly connected to one another:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip route 2
Router1(config)#router bgp 65500
Router1(config-router)#neighbor remote-as 65530
Router1(config-router)#neighbor update-source Loopback0
Router1(config-router)#neighbor ebgp-multihop 3



In this example, we have shown the configuration for only one of the routers, although you will need to configure the ebgp-multihop keyword for the corresponding peer device as well.

This feature isn't a standard part of the BGP protocol, but several router vendors implement it. The standard behavior requires eBGP routers to be adjacent to one another.

You might want to use this feature, for example, if the router at the edge of either your AS or the AS you are connecting to doesn't support BGP. The router will also need to have a route to the destination device because it is not directly connected. We have included a static route for this purpose.

The ebgp-multihop keyword takes an optional argument, which can be any integer between 1 and 255. This represents the maximum number of hops between this router and the neighbor, which is used in the TTL field of the IP packet when establishing the peer connection. If you don't specify ebgp-multihop, the router will assume that the peers are adjacent and use a TTL value of 1. However, if you specify this keyword without an argument, the router will default to a TTL value of 255.

Note that you can cause some seriously strange routing problems by using a high TTL value with this option. Suppose you have two ISPs, and your connection to one of them becomes unavailable. The routers could discover another path to one another, and re-establish their BGP peer relationship through the second ISP. This would cause extremely inefficient routing. You can avoid this problem by using static host routes, directing traffic for each peer router through the correct circuit.

In general, we recommend using the lowest possible value that still reaches the destination. However, RFC 3682 describes another extremely interesting way of using this feature to improve security. The idea is that the only way that a packet can reach its destination with a TTL value of 254 or 255 is if the source is adjacent to the destination. If a more distant device were to attempt a BGP spoofing attack, the packets would arrive with a lower TTL value unless the attacker was also on a physically adjacent network.

So this reference suggests deliberately configuring your routers to use the highest possible TTL value. Then the routers would check the TTL value and discard any BGP packets with a TTL of less than 254. Cisco implemented this feature in IOS Version 12.3(7)T:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#router bgp 65500
Router1(config-router)#neighbor remote-as 65501
Router1(config-router)#neighbor ttl-security hops 1

If the peer device is running an older IOS that doesn't support this feature and is an eBGP peer, you can simply use the ebgp-multihop command to specify an initial TTL of 255:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#router bgp 65501
Router2(config-router)#bgp log-neighbor-changes
Router2(config-router)#neighbor remote-as 65500
Router2(config-router)#neighbor ebgp-multihop 255

However, you cannot configure the ttl-security option for one peer and use the ebgp-multihop option for this same peer:

Router1(config)#router bgp 65500
Router1(config-router)#neighbor ebgp-multihop 1
Remove ttl-security before configuring ebgp-multihop

You can also configure ttl-security for iBGP peers:

Router1(config)#router bgp 65500
Router1(config-router)#neighbor remote-as 65500
Router1(config-router)#neighbor ttl-security hops 1

However, while this is a useful feature, it is still not as secure as using MD5 authentication to secure your BGP peers. We discuss this method in Recipe 9.16.

See Also

Recipe 9.16; RFC 3682 by V. Gill et al., February 2004

Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: