Control Plane Protection for EBGP Traffic | Cisco Exam 400-251

Configure EBGP Traffic Compartment | Control Plane Protection | Cisco Exam 400-251

Prev Question Next Question

Question

You are preparing Control Plane Protection configurations for implementation on the router, which has the EBGP peering address 1.1.1.2

Which ACL statement can you use to classify the related traffic into the EBGP traffic compartment?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

Control Plane Protection (CPP) is a mechanism to secure the control plane of a network device. It involves applying filters to control the types of traffic that are allowed to access the control plane.

In this question, we need to classify the EBGP traffic into a separate compartment, so that it can be filtered and controlled separately from other traffic. We can do this by using an Access Control List (ACL) to match the relevant traffic based on its source and destination addresses and ports.

Let's examine each answer option in detail:

A. permit tcp host 1.1.1.1 gt 1024 host 1.1.1.2 eq bgp permit tcp host 1.1.1.1 eq bgp host 1.1.1.2 gt 1024

This ACL permits TCP traffic from host 1.1.1.1 to host 1.1.1.2 on port 179 (BGP) with a source port greater than 1024, and also permits traffic in the reverse direction with the source and destination ports reversed. This ACL does not match the specific EBGP peering address 1.1.1.2, but it does match traffic between hosts 1.1.1.1 and 1.1.1.2 on the BGP port. Therefore, this ACL could be used to classify EBGP traffic, but it would also classify other BGP traffic between these hosts.

B. permit tcp host 1.1.1.2 gt 1024 host 1.1.1.2 eq bgp permit tcp host 1.1.1.2 eq bgp host 1.1.1.2 gt 1024

This ACL permits TCP traffic from host 1.1.1.2 to itself on port 179 (BGP) with a source port greater than 1024, and also permits traffic in the reverse direction with the source and destination ports reversed. This ACL matches only traffic between the router's own IP address (1.1.1.2) and the BGP port (179). This ACL does not match the specific EBGP peering address, so it would not be suitable for classifying EBGP traffic.

C. permit tcp host 10.1.1.1 gt 1024 host 10.1.1.2 eq bgp permit tcp host 10.1.1.1 eq bgp host 10.1.1.2 gt 1024

This ACL permits TCP traffic from host 10.1.1.1 to host 10.1.1.2 on port 179 (BGP) with a source port greater than 1024, and also permits traffic in the reverse direction with the source and destination ports reversed. This ACL does not match the relevant IP addresses for this question, so it is not applicable.

D. permit tcp host 1.1.1.1 gt 1024 host 1.1.1.1 eq bgp.

This ACL permits TCP traffic from host 1.1.1.1 to itself on port 179 (BGP) with a source port greater than 1024. This ACL does not match the specific EBGP peering address, so it would not be suitable for classifying EBGP traffic.

Therefore, the answer that could be used to classify EBGP traffic into a separate compartment is A, permit tcp host 1.1.1.1 gt 1024 host 1.1.1.2 eq bgp permit tcp host 1.1.1.1 eq bgp host 1.1.1.2 gt 1024.