Two routers configured to run BGP have been connected to a firewall, one on the inside interface
and one on the outside interface. BGP has been configured so the two routers should peer,
including the correct BGP session endpoint addresses and the correct BGP session hop-count
limit (EBGP multihop). What is a good first test to see if BGP will work across the firewall?
A.
Attempt to TELNET from the router connected to the inside of the firewall to the router
connected to the outside of the firewall. If telnet works, BGP will work, since telnet and BGP both
use TCP to transport data.
B.
Ping from the router connected to the inside interface of the firewall to the router connected to
the outside interface of the firewall. If you can ping between them, BGP should work, since BGP
uses IP to transport packets.
C.
There is no way to make BGP work across a firewall without special configuration, so there is
no simple test that will show you if BGP will work or not, other than trying to start the peering
session.
D.
There is no way to make BGP work across a firewall.
Explanation:
1. The question doesn’t say that you are passing the port parameter to the telnet session. In the
answer cisco says “since telnet and BGP both use TCP to transport data.” Meaning that TELNET
and BGP share TCP, no mention of ports.
2. If you telnet to Port 179 you are testing the path only in 1 direction from the inside to the
outside. Yes stateful firewalls will allow return traffic from outside, but they won’t allow the outside
neighbor to initiate a session.
3. If the Firewall is using NAT for outgoing traffic, which is common, you will be able to telnet to the
BGP peer, but the peer won’t be able to reach your router back if it needs to initiate a session.
4. The Firewall can translate port 179 to 23 or anything else that will give you a false positive on
your Telnet test.
5. Answer C says that
A)
“There is no way to make BGP work across a firewall without special configuration” Special
configuration refers to the Firewall, since in the question they explicitly say that BGP has been
properly configured.
B)
“Trying to start the peering session.” will provide you with a definitive answer.
C)
Therefore correct answer is C.