Lets talk eBGP multihop/TTL security/connectivity check
So I did some digging, around, as the concept of eBGP multhop vs TTL security just did not make sense to me.
Using this topology...(each device has a lo0 ip address--126.96.36.199 through 188.8.131.52)
Now, my understanding was that if we wish to create a eBGP neighbor relationship using loopbacks, we have to use eBGP multihop. My understanding was that this is necessary because we will decrement the TTL by 1 and it will get dropped.
Then how come I can create a neighbor relationship from Mario (1.1.1.) to Bowser (184.108.40.206) with eBGP multihop of 2 configured?
So with the default eBGP mutihop of 1 configured, if you do a show ip bgp neighbor 220.127.116.11 on Mario, you will see the following:
"External BGP neighbor not directly connected."
What if I change the ebgp multihop value to 2?
"Connection is ECN Disabled"
Ok.......with that logic, that means that any ebgp multihop value >1 wiill auto-disable the connectiivty check. But that isn't fair..why can't we configure an eBGP multhop value of 1 to disable the connectivity check? Well, if the device is only one hop away, you can manually disable the connectivity check "neighbor 18.104.22.168 disable-connected-check" on Mario and "neighbor 22.214.171.124 disable-connected-check" on Luigi essentially does the same as eBGP multihop with a value > or equal to 2 (while keeping the default outgoing TTL). Alternatively, you can set the ttl-security path value to 2 (using 1 isn't even allowed...).
Something interesting about TTL security. By default, the outgoing TTL for an eBGP neighbor relationship is only 1. We can override this with eBGP multhop or TTL security. How's that?
From Mario's perspective to get to Bowser:
"Connection is ECN Disabled, Mininum incoming TTL 253, Outgoing TTL 255"
So Mario doesn't care about its own outgoing MTU (which is set for 255)..but more so cares about the incoming MTU. By configuring both for a TTL-security path value of 2, it further proves that using the loopback as the TCP connection source isn't what is breaking the neighbor relationship....but the connectivity check instead (also disabled when TTL-Security is enabled).
I feel as if I may have rambled, but hey..if you were in the same boat as me, it might help.