From: Ng, Kim Seng David (David) (ksng@xxxxxxxxx)
Date: Fri Jul 19 2002 - 03:27:45 GMT-3
Brian,
Do I need to add the cmd "service-policy route-map" command at the BRI
interface too? I will try this later today.
Thanks all for your response
David
-----Original Message-----
From: Brian Dennis [mailto:brian@5g.net]
Sent: Friday, July 19, 2002 7:49 AM
To: ccielab@groupstudy.com
Subject: RE: Passive interface command for BGP peering?
Yes, it's not pretty but it solves the problem. Just make a local policy
and forward traffic that you want to hit the outbound list on the BRI to
the loopback interface.
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface BRI0
ip access-group 150 out
!
ip local policy route-map myOutBoundFilter
!
route-map myOutBoundFilter permit 10
match ip address 160
set interface Loopback0
!
access-list 150 deny tcp host 1.1.1.1 eq bgp host 2.2.2.2 log
access-list 150 deny tcp host 1.1.1.1 host 2.2.2.2 eq bgp log
access-list 150 permit ip any any
!
access-list 160 permit tcp host 1.1.1.1 eq bgp host 2.2.2.2 log
access-list 160 permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp log
Brian Dennis, CCIE #2210 (R&S/ISP Dial)
-----Original Message-----
From: kym blair [mailto:kymblair@hotmail.com]
Sent: Thursday, July 18, 2002 4:07 PM
To: brian@5g.net; ksng@avaya.com; ccielab@groupstudy.com
Subject: RE: Passive interface command for BGP peering?
Brian,
Are you saying to create a local policy that routes outbound TCP 179 to
the
loopback? Sounds recursive. Could you show the policy statement and
the
access-list applied to it? Do you apply it globally, or to an
interface?
Because of the extra hop, this will then cause the locally originated
TCP
179 (from loopback) to be evaluated on the access-list for the outbound
BRI?
Cool.
Thanks, Kym
>From: "Brian Dennis" <brian@5g.net>
>Reply-To: "Brian Dennis" <brian@5g.net>
>To: "'Ng, Kim Seng David \(David\)'" <ksng@avaya.com>,
><ccielab@groupstudy.com>
>Subject: RE: Passive interface command for BGP peering?
>Date: Thu, 18 Jul 2002 10:22:40 -0700
>
>You could block it inbound on the other side. If it must be blocked
>outbound create a local policy and forward the BGP traffic to the
>loopback interface first. This will cause the BGP traffic to hit the
>outbound access-list on the BRI interface. Another solution would be to
>filter the loopback's route from being advertised over the BRI
>interfaces. Of course there are a few other ways to solve this problem
>;-)
>
>Also make sure that you block BGP in both directions with your
>access-list:
>access-list 100 deny tcp host x.x.x.x eq 179 host x.x.x.x
>access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 179
>access-list 100 permit ip any any
>
>Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Ng, Kim Seng David (David)
>Sent: Thursday, July 18, 2002 8:28 AM
>To: ccielab@groupstudy.com
>Subject: Passive interface command for BGP peering?
>
>Hi group,
>
> Is there an equivalent "passive interface" command to stop BGP
>peering over a specific interface. In a case when I have the backup BRI
>interface activated and the floating static default route in place, I
>want to prevent the BGP peering from happening over the BRI interface.
>Dialer list can prevent peering from activating the BRI link but that
>will not stop BGP peering when some other interesting traffic activates
>the link. I tried access-list extended out blocking tcp port 179 at the
>BRI interface but the IBGP peering (thru loopback interface) still
>occurs. I think it is because the access-list cannot block locally
>generated traffic. Hope someone can advice.
>
>Thanks
>David
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:36 GMT-3