I just got a message from my friend, he took exam in last week and got H2+, he said with me in section 4.1, Cisco was asked as below:

Configure the network as per the following requirements:
• Protect R17’s control-plane from TTL expiry attacks so that match IP packets with a TTL of 0 or 1 are dropped before the CPU processes them.
• Legit packets include expected control protocols running on the link.
• Not allowed to configure “deny” statement.

Any I deal about this situation? Please share.

I just got a message from my friend, he took exam in last week and got H2+, he said with me in section 4.1, Cisco was asked as below:

Configure the network as per the following requirements:
• Protect R17’s control-plane from TTL expiry attacks so that match IP packets with a TTL of 0 or 1 are dropped before the CPU processes them.
• Legit packets include expected control protocols running on the link.
• Not allowed to configure “deny” statement.

Any I deal about this situation? Please share.

That is my solution for this variation

**Hidden Content: Check the thread to see hidden data.**

Thank for sharing.

That is my solution for this variation

***Hidden content cannot be quoted.***

Thanks, any ideals if Cisco ask: Not allowed to configure “permit” statement

Thanks, any ideals if Cisco ask: Not allowed to configure “permit” statement

some guys just mentioned about this statement. but from my view, I don't think: there is a solution for this statement. anyone have ideal about this case?

Thanks for sharing

Thanks for sharing

That is my solution for this variation

***Hidden content cannot be quoted.***

Thanks for solution.

thanks for sharing

Thanks for solution. !!

Thank for sharing.

thanks for the info

Looks correct; thanks for the info.

Thanks !
On H2. on Merging section. Do we need to go for LOCAL-AS Option towards the RR - R1 ? So we need to delete and create the BGP with new process ID (like we do in H2+)?

you need to add the following in TTL1

permit udp any any

otherwise the any traceroute from the spokes (R19,20,21) to the rest of the network will show the following in the traceroute output

1. * * *

if the output asks you to have (65001 65001) then use the as-override in the PE routers.

if the output asks you to have (65001 65002) then use the allowas-in in the CE routers.

thanks for sharing

That is my solution for this variation

***Hidden content cannot be quoted.***

"Thanks!"

i think it is more accurate to add the port range:
ip access-list extended PASS-TTL
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit pim any any
permit esp any any
permit gre any any
permit udp any any eq 500
permit udp any any eq 4500
perm udp any any ra 33434 33534 <-- for traceroute
!

Looks correct; thanks for the info.

Thank you for sharing m8.

...............................

[QUOTE=Robin;179]That is my solution for this variation

***Hidden content cannot be quoted.***[/kindly or grateful thoughts : GRATITUDEQUOTE]

""

think it is more accurate to add the port range:
ip access-list extended PASS-TTL
permit ospf any any
permit tcp any any eq bgp
permit tcp any eq bgp any
permit pim any any
permit esp any any
permit gre any any
permit udp any any eq 500
permit udp any any eq 4500
perm udp any any ra 33434 33534 <-- for traceroute

Thanks for sharing this solution here. It is exactly what I was looking for recently. And I have failed to find proper information on the Internet until I came to this forum. Where are you from? I am from https://worldcams.tv/united-states/new-york/times-square . When I have more free time, I will definitely return to this forum to look through all other threads.

Thanks! That's a lot of help