Question 15 of 500
NetworkingmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the TTL security check is blocking the connection. This is correct because the error message explicitly indicates that the incoming TTL value does not match the expected value of 255, which is required for a directly connected eBGP peer. When BGP TTL security check is enabled, the router expects the TTL of incoming packets to be exactly 255; if the packet arrives with a lower TTL—as happens when it traverses intermediate hops—the session is rejected, even if the neighbor is technically reachable. On the Cisco SPCOR 350-501 exam, this scenario tests your understanding of how TTL security differs from standard eBGP multihop configurations, where the TTL is decremented normally. A common trap is confusing this with MD5 authentication or prefix limits, but the debug output will always reference “TTL security” explicitly. Remember the memory tip: “TTL 255 means directly alive; anything less means the session is in distress.”

350-501 Networking Practice Question

This 350-501 practice question tests your understanding of networking. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

R1# show ip bgp neighbors 10.0.0.1
BGP neighbor is 10.0.0.1, remote AS 65000, external link
  BGP version 4, remote router ID 10.0.0.1
  BGP state = IDLE
  Last read 00:00:00, last write 00:00:00
  Hold time is 180, keepalive interval is 60 seconds
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
    Sent: total 0, updates 0
    Received: total 0, updates 0
  Connections established 0; dropped 0
  Last reset never
  External BGP neighbor may be up to 255 hops away.
  Connection is not permitted by TTL security check (TTL=1)

Based on the exhibit, what is preventing the BGP session from establishing?

Question 1mediummultiple choice
Open the full BGP breakdown →

Exhibit

Refer to the exhibit.

R1# show ip bgp neighbors 10.0.0.1
BGP neighbor is 10.0.0.1, remote AS 65000, external link
  BGP version 4, remote router ID 10.0.0.1
  BGP state = IDLE
  Last read 00:00:00, last write 00:00:00
  Hold time is 180, keepalive interval is 60 seconds
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
    Sent: total 0, updates 0
    Received: total 0, updates 0
  Connections established 0; dropped 0
  Last reset never
  External BGP neighbor may be up to 255 hops away.
  Connection is not permitted by TTL security check (TTL=1)

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The TTL security check is blocking the connection

Option C is correct. The error message indicates the TTL security check is rejecting the connection because the incoming TTL is not 255 (as expected for an eBGP multihop session). The remote AS is shown as 65000, so it is eBGP. The neighbor is reached via a single-hop but the TTL check expects TTL=255, but the router sees a TTL less than that. Option A is wrong because no prefix limit is mentioned. Option B is wrong because no MD5 error is shown. Option D is wrong because the message clearly states TTL security check.

Key principle: OSPF neighbour adjacency depends on matching area, hello/dead timers, network type, and authentication — IP reachability alone is not enough.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The BGP MD5 password is mismatched

    Why it's wrong here

    There is no indication of an MD5 authentication error.

  • The BGP update-source is misconfigured

    Why it's wrong here

    No evidence of update-source issue; the error is specific to TTL.

  • The neighbor has reached its maximum prefix limit

    Why it's wrong here

    No prefix limit error is shown; the state is IDLE due to TTL security.

  • The TTL security check is blocking the connection

    Why this is correct

    The error 'Connection is not permitted by TTL security check (TTL=1)' clearly indicates the TTL security mechanism is rejecting the packet.

    Related concept

    OSPF neighbours must agree on key parameters.

Common exam traps

Common exam trap: OSPF can fail even when IP connectivity looks correct

OSPF neighbour formation depends on matching areas, timers, network type, authentication and passive-interface behaviour. Do not choose an answer only because the devices can ping.

Trap categories for this question

  • Command / output trap

    No prefix limit error is shown; the state is IDLE due to TTL security.

Detailed technical explanation

How to think about this question

OSPF questions usually test the details that control adjacency and route selection. Read the neighbour state, area, router ID and interface configuration before deciding what is wrong.

KKey Concepts to Remember

  • OSPF neighbours must agree on key parameters.
  • Router ID selection can affect neighbour relationships and LSDB output.
  • OSPF cost influences the preferred path.
  • A route can appear in OSPF information but not become the installed route.

TExam Day Tips

  • Check area mismatch first when OSPF adjacency fails.
  • Review passive interfaces when a network is advertised but no neighbour forms.
  • Use show ip ospf neighbor and show ip route clues carefully.

Key takeaway

OSPF neighbour adjacency depends on matching area, hello/dead timers, network type, and authentication — IP reachability alone is not enough.

Real-world example

How this comes up in practice

A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.

What to study next

Got this wrong? Here's your next step.

Review OSPF neighbour requirements — matching area type, hello and dead timers, network type, stub flags, and authentication. Study show ip ospf neighbor states (INIT, 2-WAY, FULL). Then practise related 350-501 OSPF questions on adjacency and route selection.

Related practice questions

Related 350-501 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-501 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-501 question test?

Networking — This question tests Networking — OSPF neighbours must agree on key parameters..

What is the correct answer to this question?

The correct answer is: The TTL security check is blocking the connection — Option C is correct. The error message indicates the TTL security check is rejecting the connection because the incoming TTL is not 255 (as expected for an eBGP multihop session). The remote AS is shown as 65000, so it is eBGP. The neighbor is reached via a single-hop but the TTL check expects TTL=255, but the router sees a TTL less than that. Option A is wrong because no prefix limit is mentioned. Option B is wrong because no MD5 error is shown. Option D is wrong because the message clearly states TTL security check.

What should I do if I get this 350-501 question wrong?

Review OSPF neighbour requirements — matching area type, hello and dead timers, network type, stub flags, and authentication. Study show ip ospf neighbor states (INIT, 2-WAY, FULL). Then practise related 350-501 OSPF questions on adjacency and route selection.

What is the key concept behind this question?

OSPF neighbours must agree on key parameters.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-501 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-501 exam.