protocols bgp <asn> neighbor <id> ttl-security hops <hops>
Sets Time to Live (TTL) security hop count.
The default for the hop count is 1 for eBGP connections.
- asn
- The number for the AS in which this router resides. The number ranges from 1 through 4294967295.
- id
- The IPv4 or IPv6 address of a BGP neighbor.
- hops
- The maximum number of hops away from the local peer a peering session connection be accepted. The numbers range from 1 through 254.
Configuration mode
protocols {
bgp asn {
neighbor id {
ttl-security {
hops hops
}
}
}
}
Use this command to set the Time to Live (TTL) security for the local peer.
This option provides an additional level of security for eBGP peering sessions. It helps prevent BGP hijacking attempts by determining whether or not the BGP peer is on a directly connected network using the BGP packet TTL value.
For eBGP peers, there are three possible configurations:
- By default, outgoing TTL is set to 1 and no checking is done on TTL of incoming packets.
- If ebgp-multihop is configured, the TTL for outgoing packets is set to that value and no checking is done on TTL of incoming packets.
- If ttl-security hops is configured, the TTL for outgoing packets is set to 255 and the TTL of incoming packets is compared against the value set for ttl-security hops.
Note that ttl-security hops can not be configured at the same time as ebgp-multihop.
Packets always be dropped when TTL reaches zero.
Use the set form of this command to specify the hop count.
Use the delete form of this command to return the system to its default.
Use the show form of this command to view the parameter configuration.