[c-nsp] inter-as mp-bgp with ttl-security issue

Vitkovsky, Adam avitkovsky at emea.att.com
Wed Jan 4 09:42:45 EST 2012


Hi,
I've only used the "disable-connected-check" cmd to enable ebgp session between loopbacks of two directly connected routers without using "ebgp-multihop" cmd (e.g opt.B type of peering between ASBR's loopbacks)

Anyways I've tried the "disable-connected-check" along the "ttl-security" cmd and still the same error
 
I guess it just doesn't like the mpls label that comes with the next-hop for the vpn route
I bet that if I'd use pure igp to derive the next hop this would work
Because in my case I'm learning the next-hop for the vpn route (PE-loopback) directly from ASBR over bgp ipv4 + label session (so that I have p-core igp clear of other AS loopbacks)

adam
-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Tuesday, January 03, 2012 8:37 PM
To: Vitkovsky, Adam
Cc: 'cisco-nsp at puck.nether.net'
Subject: Re: [c-nsp] inter-as mp-bgp with ttl-security issue

Hi,

On Tue, Jan 03, 2012 at 05:51:37PM +0100, Vitkovsky, Adam wrote:
> Now here's the catch:
> If I decide to use "ttl-security" in the session template on both ends I won't get routing updates across the established session
> Reason according to debug: -- DENIED due to: non-connected MP_REACH NEXTHOP;, label 18

Unless you use "ebgp-multihop" or "disabled-connected-check", the
next-hop received must be in a locally connected(!) subnet on the 
receiving side.

> -which is not true as the Inter-AS-route-reflector has a route to the originating PE in the other AS route is pointing to the ASBR connecting to the other AS

... which is not "connected".  Very much not so :-)

Note that it doesn't tell you "non-reachable ... NEXTHOP" but "non-connected".

gert
    no 4-letter certificates
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



More information about the cisco-nsp mailing list