nerdexam
Cisco

352-001 · Question #545

Refer to the exhibit. Transit traffic in this large enterprise campus network passes the eBGP core. Per security policy, traffic coming from AS 65444 destined for AS 65466 and vice-versa must pass thr

The correct answer is C. Apply next-hop self on both BGP neighbors on AS 65400. On a shared broadcast segment, eBGP peers can resolve next-hops directly to each other, bypassing the intended transit AS. Applying next-hop self on AS 65400 forces all traffic to route through it.

Layer 3 Control Plane

Question

Refer to the exhibit. Transit traffic in this large enterprise campus network passes the eBGP core. Per security policy, traffic coming from AS 65444 destined for AS 65466 and vice-versa must pass through AS 65400. An audit discovers that traffic between 65444 and 65466 did not pass through 65400, instead it is communicating directly. How must you design BGP to ensure that the traffic from AS 65444 destined for AS 65466 passes through AS65400 on this broadcast network?

Exhibit

352-001 question #545 exhibit

Options

  • AApply an ACL on AS 65466 to drop the direct traffic between AS 65444 and AS 65466
  • BApply AS-path prepending on AS 65466 and AS 65444
  • CApply next-hop self on both BGP neighbors on AS 65400
  • DApply the MED attribute on the BGP session for AS 65444

How the community answered

(34 responses)
  • A
    12% (4)
  • B
    6% (2)
  • C
    68% (23)
  • D
    15% (5)

Why each option

On a shared broadcast segment, eBGP peers can resolve next-hops directly to each other, bypassing the intended transit AS. Applying next-hop self on AS 65400 forces all traffic to route through it.

AApply an ACL on AS 65466 to drop the direct traffic between AS 65444 and AS 65466

An ACL would drop the traffic entirely rather than redirecting it through AS 65400, which violates connectivity requirements.

BApply AS-path prepending on AS 65466 and AS 65444

AS-path prepending influences path selection by making a path appear longer, but it does not change the next-hop attribute on the shared broadcast segment and does not force traffic through AS 65400.

CApply next-hop self on both BGP neighbors on AS 65400Correct

On a multi-access broadcast network, eBGP by default preserves the original next-hop attribute, so AS 65466 can resolve routes from AS 65444 directly via their shared segment IP without traversing AS 65400. Configuring next-hop self on AS 65400's eBGP sessions causes AS 65400 to advertise itself as the next-hop for all routes it re-advertises, forcing traffic to flow through AS 65400 as the security policy requires.

DApply the MED attribute on the BGP session for AS 65444

MED is used to influence inbound traffic selection between multiple entry points into a single AS and does not control the transit path across the broadcast segment.

Concept tested: BGP next-hop self on multi-access broadcast networks

Source: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13751-next-hop.html

Topics

#BGP next-hop-self#eBGP#broadcast network#traffic policy

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice