RE: Passive interface command for BGP peering?

From: Brian Dennis (brian@xxxxxx)
Date: Sat Jul 20 2002 - 06:45:29 GMT-3

• Next message: sovan parida: "RE: lab attempt in johannesburg"
• Previous message: Brian Dennis: "RE: Default route over ISDN"
• Maybe in reply to: Ng, Kim Seng David (David): "Passive interface command for BGP peering?"
• Next in thread: Robert Rech: "RE: Passive interface command for BGP peering?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
No it won't break BGP. Try it for yourself.

Brian Dennis, CCIE #2210 (R&S/ISP Dial)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Anthony Pace
Sent: Friday, July 19, 2002 3:30 PM
To: Brian Dennis; 'Ng, Kim Seng David (David)'; ccielab@groupstudy.com
Subject: RE: Passive interface command for BGP peering?

If you dump all of the locally originated BGP traffic, to the loopback,
won't you wreck the BGP peering over whatever interface you want the
peering to happen on?

Anthony Pace

On Fri, 19 Jul 2002 08:43:12 -0700, "Brian Dennis" <brian@5g.net> said:
> No I didn't need it.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Ng, Kim Seng David (David)
> Sent: Thursday, July 18, 2002 11:28 PM
> To: Brian Dennis; ccielab@groupstudy.com
> Subject: RE: Passive interface command for BGP peering?
>
> Brian,
>
> Do I need to add the cmd "service-policy route-map" command at
> the BRI interface too? I will try this later today.
>
> Thanks all for your response
>
> David
>
> -----Original Message-----
> From: Brian Dennis [mailto:brian@5g.net]
> Sent: Friday, July 19, 2002 7:49 AM
> To: ccielab@groupstudy.com
> Subject: RE: Passive interface command for BGP peering?
>
>
> Yes, it's not pretty but it solves the problem. Just make a local
> policy
> and forward traffic that you want to hit the outbound list on the BRI
> to
> the loopback interface.
>
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
> !
> interface BRI0
> ip access-group 150 out
> !
> ip local policy route-map myOutBoundFilter
> !
> route-map myOutBoundFilter permit 10
> match ip address 160
> set interface Loopback0
> !
> access-list 150 deny tcp host 1.1.1.1 eq bgp host 2.2.2.2 log
> access-list 150 deny tcp host 1.1.1.1 host 2.2.2.2 eq bgp log
> access-list 150 permit ip any any
> !
> access-list 160 permit tcp host 1.1.1.1 eq bgp host 2.2.2.2 log
> access-list 160 permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp log
>
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial)
>
>
> -----Original Message-----
> From: kym blair [mailto:kymblair@hotmail.com]
> Sent: Thursday, July 18, 2002 4:07 PM
> To: brian@5g.net; ksng@avaya.com; ccielab@groupstudy.com
> Subject: RE: Passive interface command for BGP peering?
>
> Brian,
>
> Are you saying to create a local policy that routes outbound TCP 179
to
> the
> loopback? Sounds recursive. Could you show the policy statement and
> the
> access-list applied to it? Do you apply it globally, or to an
> interface?
> Because of the extra hop, this will then cause the locally originated
> TCP
> 179 (from loopback) to be evaluated on the access-list for the
outbound
> BRI?
> Cool.
>
> Thanks, Kym
>
>
> >From: "Brian Dennis" <brian@5g.net>
> >Reply-To: "Brian Dennis" <brian@5g.net>
> >To: "'Ng, Kim Seng David \(David\)'" <ksng@avaya.com>,
> ><ccielab@groupstudy.com>
> >Subject: RE: Passive interface command for BGP peering?
> >Date: Thu, 18 Jul 2002 10:22:40 -0700
> >
> >You could block it inbound on the other side. If it must be blocked
> >outbound create a local policy and forward the BGP traffic to the
> >loopback interface first. This will cause the BGP traffic to hit the
> >outbound access-list on the BRI interface. Another solution would be
to
> >filter the loopback's route from being advertised over the BRI
> >interfaces. Of course there are a few other ways to solve this
problem
> >;-)
> >
> >Also make sure that you block BGP in both directions with your
> >access-list:
> >access-list 100 deny tcp host x.x.x.x eq 179 host x.x.x.x
> >access-list 100 deny tcp host x.x.x.x host x.x.x.x eq 179
> >access-list 100 permit ip any any
> >
> >Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> >Ng, Kim Seng David (David)
> >Sent: Thursday, July 18, 2002 8:28 AM
> >To: ccielab@groupstudy.com
> >Subject: Passive interface command for BGP peering?
> >
> >Hi group,
> >
> > Is there an equivalent "passive interface" command to stop BGP
> >peering over a specific interface. In a case when I have the backup
BRI
> >interface activated and the floating static default route in place, I
> >want to prevent the BGP peering from happening over the BRI
interface.
> >Dialer list can prevent peering from activating the BRI link but that
> >will not stop BGP peering when some other interesting traffic
activates
> >the link. I tried access-list extended out blocking tcp port 179 at
the
> >BRI interface but the IBGP peering (thru loopback interface) still
> >occurs. I think it is because the access-list cannot block locally
> >generated traffic. Hope someone can advice.
> >
> >Thanks
> >David

• Next message: sovan parida: "RE: lab attempt in johannesburg"
• Previous message: Brian Dennis: "RE: Default route over ISDN"
• Maybe in reply to: Ng, Kim Seng David (David): "Passive interface command for BGP peering?"
• Next in thread: Robert Rech: "RE: Passive interface command for BGP peering?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:37 GMT-3