What Is EBGP Multihop in Networking?
Also known as: EBGP Multihop, BGP multihop, EBGP multihop configuration, Cisco ENCOR BGP, EBGP multihop exam
On This Page
Quick Definition
EBGP Multihop lets routers that are several network hops apart become BGP neighbors. Normally, BGP requires a direct connection, but multihop removes that restriction. This is useful when you want to connect routers across multiple intermediate devices for redundancy or policy reasons.
Must Know for Exams
EBGP Multihop is a topic that appears in several Cisco certification exams, most notably the CCNP Enterprise 350-401 ENCOR (Implementing and Operating Cisco Enterprise Network Core Technologies). In the ENCOR exam, BGP is a major topic under the section on Layer 3 technologies. Candidates must understand the difference between EBGP and IBGP, and specifically the default TTL behavior of EBGP.
The exam objectives explicitly include the ability to configure and verify EBGP Multihop. Questions often present a scenario where two routers are not directly connected and ask the candidate to choose the correct configuration to establish a BGP session. The exam also tests the concept of loopback peering combined with EBGP Multihop, which is a common design pattern.
In troubleshooting questions, the candidate may be given a show command output showing that an EBGP neighbor is in idle or active state because the TTL is too low. The correct fix would be to increase the TTL using the ebgp-multihop command. The exam also tests understanding of the interaction between EBGP Multihop and the TTL security feature; the two are mutually exclusive in some Cisco implementations, and the exam may ask which command to use in which situation.
In the CCNP SP (Service Provider) and CCIE written exams, EBGP Multihop is also important because service providers commonly peer across an internal core. The exams may include advanced topics like BGP multipath, load balancing, and the use of multihop for route reflection between confederation sub-ASes. For the CCNA exam, EBGP Multihop is not covered in depth, but basic BGP concepts including the direct neighbor requirement are introduced.
So for CCNA, the focus is on the default behavior. For CCNP and above, the exam expects you to know the configuration and troubleshooting of multihop. A typical exam question might present a diagram with three routers in a row: R1 connected to R2, and R2 connected to R3.
The task is to configure EBGP between R1 and R3. The candidate must realize that R1 and R3 are not directly connected and therefore EBGP Multihop must be configured on both sides. The answer would include the command neighbor 10.
0.0.3 ebgp-multihop 2. The exam also tests the concept of update-source, often used together with multihop when peering to a loopback. The exam may ask why the ebgp-multihop command is necessary for loopback peering, and the correct answer is that loopback interfaces are always more than one hop away from the physical link.
Another common exam trap is that candidates think the TTL is automatically adjusted when using loopback interfaces, but it is not; the TTL must be set explicitly with ebgp-multihop or ttl-security.
Simple Meaning
Imagine you work in a large office building and you need to pass a note to a colleague on a different floor. The simplest way is to hand it directly to them if they are next to you. If they are on another floor, you might have to give the note to a messenger who walks it through several hallways and up stairs.
That is a direct one-step handoff versus a multistep journey. EBGP Multihop is like allowing the note to be passed through multiple messengers, as long as the final colleague is reached. In networking, EBGP (External Border Gateway Protocol) is used to exchange routing information between different autonomous systems, like different companies or different parts of the internet.
Normally, EBGP requires the two routers to be directly connected by a cable so they can talk immediately. But with EBGP Multihop, you tell the routers: It is okay to talk even if there are other routers in between. Think of it like a long-distance phone call.
You and your friend can talk even though your voices travel through many telephone poles and switching stations. The phone system handles the middle part for you. In the same way, EBGP Multihop uses the underlying IP routing of the network to deliver BGP messages across multiple hops, so the two routers can become neighbors without a direct wire.
The key point is that the BGP session itself is logically direct, but physically it travels through intermediate routers. The intermediate routers do not need to know anything about BGP; they simply forward the BGP packets like any other IP traffic. This gives network engineers flexibility to place BGP routers anywhere in the topology, not just at the end of a direct link.
Full Technical Definition
EBGP Multihop is a configuration parameter used in Border Gateway Protocol (BGP) to establish an External BGP (EBGP) peering session between two routers that are not directly connected at Layer 2. In standard BGP operation, an EBGP session requires that the two peers be directly connected via a single Layer 2 link (for example, a point-to-point Ethernet cable or a serial line). The IP addresses used for the peering must be on the same subnet, and the Time-to-Live (TTL) value in the BGP packet header is set to 1 by default.
This TTL of 1 ensures that the packet cannot traverse any router; it must reach the neighbor within one hop. EBGP Multihop modifies this behavior by allowing the administrator to increase the TTL value to a higher number, typically 2 or more, enabling the BGP packets to pass through intermediate routers. The configuration command in Cisco IOS is "neighbor <ip-address> ebgp-multihop <hops>", where <hops> specifies the maximum number of Layer 3 hops the BGP packets are allowed to traverse.
The intermediate routers forward the BGP packets based on their IP routing tables; they do not process the BGP information themselves. This allows EBGP peering over an existing routed network, such as across a service provider backbone or a multi-router enterprise core. EBGP Multihop is often used in scenarios where a router needs to peer with a loopback interface of a remote router for redundancy.
For example, if a router has two upstream connections to two different providers, peering to the remote loopback address using multihop ensures that if one physical link fails, the BGP session can still be maintained over the other path. The BGP update source is often configured to use the loopback interface as the source IP for the TCP connection, which further enhances resilience. In terms of security and best practices, EBGP Multihop should be used with caution because it bypasses the direct connectivity requirement.
It can expose the BGP session to potential spoofing or denial of service attacks if not protected with features like TTL Security (GTSM) or MD5 authentication. In Cisco IOS, the "neighbor <ip-address> ttl-security hops <number>" command can restrict the allowed TTL range to prevent spoofed packets from outside the expected hop count. EBGP Multihop is also commonly used in MPLS L3VPN environments where provider edge (PE) routers need to peer with each other across the MPLS core.
The core routers forward the BGP packets transparently. Another important consideration is the maximum transmission unit (MTU) because BGP packets carrying large routing tables may be fragmented across multiple hops if the path MTU is not consistent. Network engineers must verify that the entire path supports the required MTU for BGP messages.
Real-Life Example
Think of a large university campus with many buildings. The main administration building has the central registrar's office, and each academic department has its own office in a separate building. The registrar needs to send official grade reports to each department.
The simplest way would be for a messenger to walk directly from the registrar's building to each department building and hand the report to the department secretary. That is like a direct connection. But the campus is big, so the registrar decides to use the internal campus mail system.
The registrar puts each grade report in an envelope and drops it in a campus mail bin. The campus mail system has many intermediate stops: the mail is sorted at a central hub, then carried by a truck to a secondary hub, then delivered to the department mailroom by a bicycle courier, and finally picked up by the secretary. The registrar never sees the intermediate stops; the system just delivers the envelope.
EBGP Multihop works similarly. The BGP messages are placed in IP packets (the envelopes) and sent through the network. The intermediate routers act like the sorting hubs and couriers, forwarding the packets toward the destination.
The two BGP routers do not need a direct wire; they just need the network to deliver the packets. If one path between the registrar and a department is blocked due to construction (a link failure), the campus mail system can reroute the envelope through another path. Likewise, with EBGP Multihop, if one intermediate router or link fails, the underlying IP routing can send the BGP packets via a different route, keeping the BGP session alive.
This is why multihop is often used with loopback interfaces: the loopback address is always reachable as long as any path exists in the network. Just like a department's mailing address (the loopback) is fixed, even if the physical building entrance changes, the mail will still arrive.
Why This Term Matters
EBGP Multihop matters because it gives network engineers flexibility and resilience in designing BGP peering relationships. In real IT work, especially in large enterprise networks, service provider networks, and data centers, you cannot always connect two BGP routers with a direct cable. Sometimes they are separated by a core network or a wide area network (WAN) with multiple routers in between.
Without multihop, you would need a direct link for every EBGP session, which is expensive, inefficient, and sometimes impossible. Multihop allows you to establish BGP sessions across an existing network infrastructure. This is critical for implementing BGP-based redundancy.
For example, if an enterprise has two connections to the internet from two different providers, the edge routers often use EBGP Multihop to peer with the provider routers using loopback interfaces. If one physical link goes down, the BGP session does not drop because the loopback is still reachable through the other provider or a backup link. This maintains routing stability and prevents traffic loss.
Multihop also enables route reflectors and BGP confederations in scenarios where EBGP peers are not directly connected. In cloud environments, virtual routers and software-defined networking (SDN) controllers often use multihop to establish EBGP sessions across overlay networks. Security is another reason why multihop matters.
By allowing BGP sessions over multiple hops, you can place BGP speakers in more secure locations, such as a dedicated management network, rather than exposing them directly to untrusted links. However, this also introduces security risks; if an attacker can inject packets into the path, they might hijack the BGP session. That is why features like TTL security and authentication are important companions to multihop.
For certification exams like the CCNP Enterprise (ENCOR), understanding EBGP Multihop is essential because it is a common configuration tweak that appears in troubleshooting scenarios and design questions. Knowing when to use it and when not to use it shows a deeper grasp of BGP behavior. Without multihop, many modern network designs would be far more rigid and less resilient.
How It Appears in Exam Questions
EBGP Multihop appears in multiple types of exam questions, including multiple-choice single answer, multiple-choice multiple answers, drag-and-drop, and simulation or lab-based questions. In multiple-choice questions, a common format is to present a network diagram with three routers: R1, R2, and R3 connected in series. R1 and R3 need to establish an EBGP session.
The question asks: What additional configuration is required beyond the basic BGP neighbor commands? The answer options might include 'set the TTL to 2 using ebgp-multihop', 'change the BGP AS number', 'enable BGP synchronization', or 'configure a route-map'. The correct answer is the ebgp-multihop command.
Another pattern is a troubleshooting scenario where the BGP session fails to establish. The output of show ip bgp summary shows the neighbor state as 'Idle' or 'Active'. The candidate is given several configuration snippets, one of which contains the ebgp-multihop command.
The question asks: Which configuration fix will resolve the issue? The correct answer is to add ebgp-multihop. In drag-and-drop questions, the candidate may need to match the correct BGP configuration commands to different scenarios.
One scenario might say 'BGP peers are not directly connected', and the candidate must drag the ebgp-multihop command into the correct box. Simulation questions on the exam (or in practice tools like Cisco Packet Tracer or EVE-NG) require the candidate to configure EBGP Multihop on two routers and then verify the neighbor state. The candidate must enter the correct router configuration mode, specify the neighbor IP address, and set the multihop value.
Follow-up verification questions may ask the candidate to check the output of show ip bgp neighbors or show ip route to confirm the session is established. In design-based questions, the candidate is given a high-level topology and asked to choose the best approach for EBGP peering between two remote sites connected via an MPLS WAN. The correct design would include EBGP Multihop with loopback interfaces for redundancy.
The exam may also present a scenario where a candidate incorrectly uses no ebgp-multihop and the session fails, leading to a troubleshooting question. The exam expects the candidate to understand that ebgp-multihop is required only when the neighbors are not on the same subnet. If the neighbors are on the same subnet but separated by a switch (Layer 2 only), then multihop is not needed because they are still directly connected at Layer 3.
Another tricky question: two routers are connected via a Layer 2 switch, but their IP addresses are in different subnets. In this case, even though they are physically connected through a switch, they are not on the same subnet, so EBGP Multihop is required. The exam may test this nuance.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A company called TechFlow has two branch offices, one in New York and one in Chicago. The New York office has a router R1, and the Chicago office has a router R2. These two routers are connected through the company's WAN, which includes several intermediate routers in different cities.
The network team wants to run EBGP between R1 and R2 to exchange routing information about external networks. They know that EBGP normally requires a direct connection, but here R1 and R2 are many routers apart. The team decides to use EBGP Multihop.
They configure R1 with the command neighbor 192.168.2.2 ebgp-multihop 5, allowing the BGP packets to travel through up to five intermediate routers. They also set the update source to the loopback interface on both routers so that if the primary WAN link fails, the BGP session can still use a backup link.
After configuration, the BGP session comes up, and the routers exchange routes successfully. This scenario shows how EBGP Multihop enables BGP peering across a multi-hop routed network without requiring a direct physical link between the two branch routers.
Common Mistakes
Using EBGP Multihop when the routers are directly connected on the same subnet.
EBGP Multihop is unnecessary for directly connected peers because the default TTL of 1 is sufficient. Adding multihop can introduce unnecessary complexity and potential security risks by increasing the TTL.
Only configure EBGP Multihop when the BGP peers are not directly connected at Layer 3 (i.e., they are on different subnets or separated by intermediate routers).
Setting the multihop value too low, such as 1, thinking it matches the default.
Setting ebgp-multihop 1 does not change the default behavior; the TTL remains 1, which will not allow packets to traverse intermediate routers. For a session across multiple hops, the value must be at least 2 or higher depending on the path.
Calculate the number of Layer 3 hops between the peers and set the multihop value to at least that number. A common safe value is 2 for a single intermediate router, but for redundancy, many engineers use 255.
Forgetting to configure the update-source when using loopback interfaces with EBGP Multihop.
When peering to a loopback interface, the BGP packets must be sourced from the loopback of the local router to ensure reachability. Without the update-source command, the router may use the physical interface IP, which may not be reachable from the remote loopback if that physical link goes down.
Always use the neighbor <ip> update-source loopback <number> command on both sides when establishing EBGP Multihop sessions using loopback addresses.
Assuming that EBGP Multihop automatically protects against routing loops or misconfigurations.
EBGP Multihop only changes the TTL; it does not provide any loop prevention. BGP's AS_PATH attribute still provides loop detection. Multihop does not add additional safety mechanisms.
Always use other BGP security features like MD5 authentication, prefix filtering, and TTL security in combination with multihop to protect the session.
Thinking that EBGP Multihop is the same as IBGP because both allow non-direct peering.
EBGP Multihop still maintains the EBGP rules, such as decrementing the TTL and requiring the same AS number for the neighbor? Actually EBGP peers have different AS numbers. IBGP peers have the same AS number but do not need multihop because IBGP uses a TTL of 255 by default. The confusion leads to incorrect configuration.
Remember that EBGP Multihop is for EBGP only (different AS numbers). IBGP already allows non-direct peering by default. Use the correct command based on the AS relationship.
Exam Trap — Don't Get Fooled
An exam question states: 'Two routers R1 and R2 are connected via a Layer 2 switch. They are configured with IP addresses 10.1.1.1/24 and 10.1.1.2/24 respectively. The BGP session fails.
The candidate adds the ebgp-multihop 2 command, and the session comes up. The question asks: Why did the session fail without multihop?' Understand that a Layer 2 switch does not decrement the TTL because it does not operate at Layer 3.
The routers are directly connected at Layer 3 if they are on the same IP subnet, even if a switch is in between. The session failed for another reason, such as misconfiguration of the BGP neighbor statement or an ACL blocking the TCP port 179. The ebgp-multihop command should not have fixed it, so the question likely expects you to identify that the multihop was not the correct solution.
In reality, the session should have worked without multihop. The trap is that the candidate sees the multihop command as a 'magic fix' without analyzing the actual connectivity.
Commonly Confused With
IBGP is used for BGP peering within the same autonomous system, and it does not require a direct connection; it uses a TTL of 255 by default. EBGP Multihop is used for external BGP peering across different autonomous systems and only when the peers are not directly connected. The key difference is the AS number relationship and the need to explicitly configure multihop for EBGP.
Two routers in the same company (AS 100) can establish IBGP even if they are on different continents because IBGP allows multi-hop by default. Two routers in different companies (AS 100 and AS 200) need EBGP Multihop if they are not directly connected.
BGP TTL Security (Generalized TTL Security Mechanism) is a security feature that checks the incoming TTL of BGP packets to ensure they come from a trusted hop count. It is often used as an alternative to EBGP Multihop, but they are mutually exclusive in many configurations. EBGP Multihop allows a larger TTL for connectivity, while GTSM restricts the TTL to a specific range for security.
With EBGP Multihop, you set hops to 2, so packets with TTL 2 or less are accepted. With GTSM, you set hops to 2, meaning the router expects the initial TTL to be 255 and will accept only packets with TTL 254 or higher, effectively limiting the path to 1 hop.
Physical interface peering uses the IP address of the directly connected interface as the neighbor address. Loopback peering uses the loopback interface IP, which is not on the same subnet as the physical interface, so EBGP Multihop is always required for loopback peering. Many learners confuse the two and think they can peer to a loopback without multihop.
R1 and R2 are connected via a serial link. Using the serial IPs for neighbor statements does not require multihop because they are directly connected. Using the loopback IPs requires multihop because the loopback is not on the serial subnet.
Next-hop behavior determines which IP address is used as the next hop for routes learned via BGP. EBGP Multihop does not change next-hop processing; the next hop remains the IP address of the BGP neighbor. Some learners think that multihop changes the next hop to the loopback, but that is not automatic; it must be configured separately using route-maps or the next-hop-self command.
With EBGP Multihop, R1 peers with R2's loopback. Routes from R1 will still show R2's loopback IP as the next hop, not the physical interface IP. That is correct and expected, not a result of multihop.
Step-by-Step Breakdown
Identify the need for EBGP Multihop
Determine if the two BGP routers are in different autonomous systems and if they are not directly connected at Layer 3. If they are on different subnets or there are intermediate routers between them, then EBGP Multihop is required. This step is crucial because using multihop unnecessarily can introduce security risks.
Configure the neighbor remote-as on both sides
Before enabling multihop, you must specify the BGP neighbor and the remote autonomous system number. This is the standard BGP configuration. Example: router bgp 100, then neighbor 10.0.0.2 remote-as 200. Without this, the router does not know which neighbor is an EBGP peer.
Set the EBGP Multihop value
Use the command neighbor <ip-address> ebgp-multihop <hops> under BGP router configuration mode. The hops value should be the maximum number of Layer 3 hops between the peers. A common practice is to set it to 255 to allow any number of hops, but a more secure value is the exact hop count plus a small margin. For example, if there are 2 routers between, set hops to 3.
Configure the update source (optional but recommended)
If you are peering to a loopback interface of the remote router, set the update source to a loopback interface on the local router. This ensures that the BGP session uses a stable IP address. The command is neighbor <ip-address> update-source loopback <number>. Do this on both sides for full redundancy.
Verify the BGP session state
After configuration, use commands like show ip bgp summary or show ip bgp neighbors to check if the session is established. The state should transition from Idle to Active to Established. If it remains in Idle or Active, check for connectivity issues, ACLs filtering TCP port 179, or incorrect multihop value.
Apply security measures
Because multihop allows packets from further away, the session is vulnerable to spoofing. Add MD5 authentication using neighbor <ip-address> password <password>. Alternatively, use ttl-security hops <hops> instead of ebgp-multihop for more precise control. Note that these two commands are mutually exclusive in many Cisco IOS versions.
Practical Mini-Lesson
EBGP Multihop is a configuration tool that every network engineer working with BGP should understand thoroughly. In practice, you will rarely have the luxury of directly connecting every BGP peer. Most enterprise networks have a core layer of routers and switches, and BGP speakers are often at the edge of the network, separated by several hops.
For example, consider a company that has two data centers in different cities. Each data center has a border router that connects to an internet service provider (ISP). The border routers need to exchange EBGP routes with each other for backup and load balancing.
They are connected through the company's WAN, which may involve multiple routers in between. Without EBGP Multihop, you would need a direct cross-connect between the two data centers just for BGP, which is expensive and wasteful. With EBGP Multihop, you can peer using loopback interfaces, making the session resilient to link failures.
When configuring, always remember to set the update-source to a loopback interface. This is critical because if the physical interface goes down but the loopback is still reachable via another path, the BGP session stays up. Another practical consideration is the TTL value.
Setting multihop to 255 is common, but be aware that this allows potential attackers from far away to send spoofed BGP packets if they can reach the router. Therefore, in production, it is safer to set the TTL to the exact number of hops in your path. For example, if the path between the two loopbacks is exactly 3 hops, set ebgp-multihop 4 to allow one extra hop for redundancy.
Also consider using the ttl-security command instead, which provides built-in protection by rejecting packets that do not have the expected TTL. For example, ttl-security hops 3 will accept only packets that arrive with TTL exactly 252 (if the default initial TTL is 255, then 255 - 252 = 3 hops). This prevents off-path attackers from injecting packets.
However, ttl-security and ebgp-multihop cannot be used together on the same neighbor in most Cisco platforms, so you must choose one based on your security needs. Additionally, when using EBGP Multihop, ensure that the intermediate routers have routes to the loopback addresses of the BGP peers. If the intermediate routers do not have routes to the loopback networks, the BGP packets will be dropped.
This often requires injecting the loopback routes into the IGP (like OSPF or EIGRP) or using static routes. In large networks, BGP multihop is also used for route reflection between confederation sub-ASes. In a BGP confederation, EBGP peering is used between sub-ASes, but those sub-AS routers are often not directly connected.
EBGP Multihop allows them to peer across the confederation backbone. A common mistake in labs is to forget that EBGP Multihop must be configured on both sides of the session. If only one side has the command, the side with the lower TTL will drop the packets.
Always verify the configuration on both routers. Finally, when troubleshooting, always check the TTL value in the BGP packets using a packet capture or debug ip bgp. You can also use extended ping with a specific TTL to test reachability of the neighbor loopback address.
If the ping succeeds with a specific TTL but fails with a lower TTL, that confirms the number of hops. This number can guide you in setting the multihop value precisely.
Memory Tip
EBGP Multihop allows EBGP to travel many hops. Remember: 'EBGP hops, default stops at one; multihop makes the BGP run.' Or simply: 'One hop default, many hops multihop.'
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Do I always need to use EBGP Multihop when peering with a loopback interface?
Yes, because the loopback interface is not on the same subnet as any physical interface, so the BGP packets must traverse at least one Layer 3 hop. The default TTL of 1 will not allow this, so ebgp-multihop is required.
Can I use EBGP Multihop and TTL Security together?
No, in most Cisco IOS versions, the commands ebgp-multihop and ttl-security are mutually exclusive for the same neighbor. You must choose one approach.
What is the default TTL for EBGP?
The default TTL for EBGP packets is 1. This ensures that the BGP neighbor must be directly connected at Layer 3.
How many hops should I set for EBGP Multihop?
Set it to the exact number of Layer 3 hops between the peers, plus one or two for safety. A common practice is to use 255 for maximum flexibility, but this reduces security.
Does EBGP Multihop affect the BGP next-hop attribute?
No, EBGP Multihop does not change the next-hop attribute. The next hop remains the IP address of the BGP neighbor, which is typically the loopback or interface IP used for peering.
Can I use EBGP Multihop for IBGP?
No, IBGP already allows multi-hop peering by default (TTL 255). EBGP Multihop is specifically for EBGP sessions between different autonomous systems.
What happens if I set ebgp-multihop to 1?
Setting ebgp-multihop 1 does not change the default behavior; the TTL remains 1. It will only work if the peers are directly connected.
Summary
EBGP Multihop is a configurable parameter that allows BGP routers in different autonomous systems to form a peering session even when they are not directly connected by a single Layer 3 hop. By increasing the Time-to-Live (TTL) value in BGP packets beyond the default of 1, the packets can traverse intermediate routers, enabling peering across a routed network. This feature is essential for network designs that require redundancy, such as peering via loopback interfaces, which remain reachable even if a specific link fails.
It also provides flexibility in placing BGP speakers anywhere in the topology, including data centers, enterprise cores, and cloud environments. For certification exams like the CCNP ENCOR, understanding when and how to configure EBGP Multihop is critical. Common exam scenarios include troubleshooting failed EBGP sessions due to TTL issues, configuring multihop with loopback interfaces, and choosing between multihop and TTL security.
Learners must avoid common mistakes such as using multihop unnecessarily on direct connections, setting the hop count too low, or forgetting to configure the update source. In real-world networking, EBGP Multihop is a cornerstone of resilient BGP design, but it must be paired with security measures like authentication and TTL filtering to protect against attacks. Remember that EBGP Multihop is not a magic fix; it is a deliberate choice that changes the connectivity assumptions of BGP.
Mastering this concept will help you design robust, scalable, and secure BGP networks.