ccie blog

BGP Disable-Connected-Check vs eBGP Multihop

Disable-connected-check enables a directly connected eBGP neighbor to peer using a loopback address without adjusting the default TTL of 1. What normally happens for eBGP neighbor statements, is that a check is done on the router to confirm that the neighbor is listed as being directly connected in the routing table. If eBGP neighbors are peering using loopbacks then the IP address of the neighbor will not listed as being directly connected in the routing table, and it is therefore not possible to complete this check. This is why you normally need to put neighbor x.x.x.x ebgp multihop 2 as a minimum for the neighbor to come online (if using ebgp multihop). Not because the neighbor is two hops away, but simply because the router checks, “is the IP address in the neighbor statement actually on the same subnet as any of my local interfaces?”. If the answer is no, then the router assumes the neighbor must be more than one hop away.  But if we use the disable-connected-check syntax, this check is avoided and a TTL of 1 is accepted. So it is compulsory that the neighbor is only ever a maximum of one hop away when using this command as it’s not adjusting any TTL value, it’s just checking if the neighbors IP is a directly connected subnet in the routing table.  The difference with eBGP multihop, is that you can specify how many hops away a neighbor is allowed to be. You are actually adjusting the TTL instead.

In the diagram below, I’m going to start by configuring BGP between R1 & R2 using loopbacks over their directly connected fa0/0 interfaces with #disable-connected-check.

R1(config-router)#neighbor 2.2.2.2 remote-as 2
R1(config-router)#neighbor 2.2.2.2 update-source lo0
R1(config-router)#neighbor 2.2.2.2 disable-connected-check
R1(config-router)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R1(config)#
*Mar 1 00:17:22.095: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up
R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 remote-as 1
R2(config-router)#neighbor 1.1.1.1 update-source lo0
R2(config-router)#neighbor 1.1.1.1 disable-connected-check
R2(config-router)#ip route 1.1.1.1 255.255.255.255 12.12.12.1
R2(config)#
*Mar 1 00:17:22.083: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

As you can see, the neighbors came straight up. If I now try and use the path via R1-R3-R4-R2, i.e. a path that is not directly connected, the neighbors will not establish a session because the ttl will only be set to 1, and therefore cause a reachability problem. This is shown below.

R2(config)#int fa0/0
R2(config-if)#shut
R2(config-if)#no ip route 1.1.1.1 255.255.255.255 12.12.12.1
R2(config-if)#ip route 1.1.1.1 255.255.255.255 24.24.24.2
//Note that 24.24.24.2 = R4//
R2(config)#end
R1(config)#int fa0/0
R1(config-if)#shut
R1(config-if)#no ip route 2.2.2.2 255.255.255.255 12.12.12.2
R1(config-if)#ip route 2.2.2.2 255.255.255.255 13.13.13.2
//Note that 13.13.13.2 = R3//
R1(config-if)#do ping 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/80 ms

R1(config-if)#
R1(config-if)#
*Mar 1 00:25:23.763: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down BGP Notification sent
R1(config-if)#
*Mar  1 00:25:23.763: %BGP-3-NOTIFICATION: sent to neighbor 2.2.2.2 4/0 (hold time expired) 0 bytes

R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4     2       8      12        0    0    0 00:04:33 Active

So because the neighbor is no longer 1 hop away the session drops, a notification is sent, and the hold time expires. However if I use ebgp-multihop instead of the disable-connected check, the session will form (because we increased the TTL). This is shown below.

R1(config)#router bgp 1
R1(config-router)#no neighbor 2.2.2.2 disable-connected-check
R1(config-router)#neighbor 2.2.2.2 ebgp-multihop 3
R2(config)#router bgp 2
R2(config-router)#no neighbor 1.1.1.1 disable-connected-check
R2(config-router)#neighbor 1.1.1.1 ebgp-multihop 3

*Mar 1 00:41:45.159: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4     1      27      31        1    0    0 00:15:02      0

In conclusion, if you want to use the disable-connected-check feature, then ensure the neighbor is directly connected. Otherwise, you need to use ebgp-multihop, or ttl-security to establish the session.

10 Comments

KirtikumarJune 22nd, 2014 at 7:51 pm

Thanks good explaination.

Samir PawarAugust 25th, 2014 at 10:30 am

Nice one… very effectively and simply explained…

Guillaume NoumenOctober 10th, 2014 at 3:52 am

Good explaination. It help me solve an issue.

nanisJune 14th, 2015 at 7:05 am

really good explanation.Thanks.

Mohit TeotiaDecember 3rd, 2015 at 6:34 pm

we are very thank full to you.
to share very good and great explanation.

Rahul MauryaJanuary 7th, 2016 at 7:32 am

Good explanation. Thanks

StephenGarbettMarch 21st, 2016 at 10:58 am

This is copyright infringement. Remove my material from your website.

TomJanuary 24th, 2017 at 12:28 am

Great post. Really made things clear for me. Thanks for taking the time to put this together!

SancchitApril 13th, 2017 at 1:22 pm

Great explaination!

Leave a comment

Your comment