RE: RE: *************:BGP and ACL

From: Brian McGahan (brian@cyscoexpert.com)
Date: Tue Sep 10 2002 - 08:42:23 GMT-3

• Next message: Jeff Kesemeyer: "RE: Is it worth reading the entire Doc CD"
• Previous message: Brian McGahan: "RE: distance"
• Maybe in reply to: Liban.Mohamed@mail.sprint.com: "RE: *************:BGP and ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        This case is independent of BGP. An access-list applied to an
interface with the "access-group" syntax is used to filter actual
traffic.

>int pos 0/0
>ip access-group 86 in

        This syntax means: only accept traffic from networks specified
in access-list 86.

>neighbor x.x.x.x distribute-list 86 in

        This syntax means: only accept prefixes from neighbor x.x.x.x
which are specified in access-list 86.

        This is a valid case to reference the same access-list twice;
however it is not what you want to do in this case.

        On a side note, if this customer is only taking a portion of
your full view, look into implementing BGP Outbound Route Filtering
(ORF). With this feature, your customer defines their inbound filter.
The difference is that the filter is sent upstream to your router, and
your router uses this list to filter prefixes outbound. See the
following link for more detail.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft
/122t/122t4/ftbgporf.htm

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
http://www.cyscoexpert.com
Voice: 847.674.3392
Fax: 847.674.2625

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jayashanker Warrier
> Sent: Tuesday, September 10, 2002 2:36 AM
> To: Liban.Mohamed@mail.sprint.com
> Cc: ccielab@groupstudy.com; rfc10000@hotmail.com
> Subject: Re: RE: *************:BGP and ACL
>
> Before it gets to BGP the access-list in the interface will takes
> whatever action you have specified. So if it is deny all it
> denies all or if it is permit some and deny others it does that.
>
> Thanks
>
> J
>
> On Tue, 10 Sep 2002 Liban.Mohamed@mail.sprint.com wrote :
> >Remember guys, it's applied both the BGP peer and the interface,
> >will
> >that cause anytype of blackhole.
> >now this was a mistake done by someOne.
> >
> >
> >
> >
> >
> >
> >thanks,
> >
> >
> >
> >-----Original Message-----
> > From: rfc10000 [mailto:rfc10000@hotmail.com]
> >Sent: Tuesday, September 10, 2002 2:28 AM
> >To: Liban.Mohamed
> >Cc: rfc10000
> >Subject: *************:BGP and ACL
> >
> >
> >
> >if the ACL apply on the bgp's neighbor, it just cause the bgp
> >action.
> >if it will applied on one interface,
> >
> >all the traffice on this interface will be blocked
> >
> >
> >----- T-J<SJ<~ -----
> >7"<~HK: Liban.Mohamed@mail.sprint.com
> >7"KMJ1<d: 2002Dj9TB10HU 13:24
> >JU<~HK: ccielab@groupstudy.com
> >3-KM: liban.mohamed@mail.sprint.com
> >VwLb: BGP and ACL
> >
> >I ran to an issue last-week and i would like to get your opinion.
> >I
> >have a customer that has OC3 circuit. that is running BGP with
> >us.
> >below is a sample of our BGP config.
> >
> >
> >sl-gw34-chi#sho run | inc x.x.x.x
> >neighbor x.x.x.x.x remote-as x.x.x
> >neighbor x.x.x.x version 4
> >neighbor x.x.x.x distribute-list 86 in
> >neighbor x.x.x.x route-map transit-in in
> >neighbor x.x.x.x route-map full-routes out
> >neighbor x.x.x.x maximum-prefix 500
> >
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >access-list 86 permit x.x.x.x 0..0.0.255
> >
> >Now this is the problem. Last week they send e-mail to update
> >thier
> >distribute-list. but one of the NOC engineers updated but he
> >also
> >applied ACL on thier interface
> >he entered the following command: don't ask me why he did this
> >;)
> >config t
> >int pos 0/0
> >ip access-group 86 in
> >
> >after he applied this. all traffic stoped floading this link.
> >Will this
> >cause the traffic to stop. since we have ACL applied on the
> >interface
> >and the BGP with the same #86
> >
> >
> >any suggestion would help..
> >
> >
> >
> >Liban Mohamed
> >IP Engineer
> >Sprintlink Operation Engineering team
> >CCNA,CCDA,CCNP,CCDP.
> >www.sprint.net.
> > _____
> >
> >4SMxU>5C5=8|6`PEO"!#MSN Explorer Cb7QOBTX#:
> >http://explorer.msn.com/lccn
> __________________________________________________________
> Give your Company an email address like
> ravi @ ravi-exports.com. Sign up for Rediffmail Pro today!
> Know more. http://www.rediffmailpro.com/signup/

• Next message: Jeff Kesemeyer: "RE: Is it worth reading the entire Doc CD"
• Previous message: Brian McGahan: "RE: distance"
• Maybe in reply to: Liban.Mohamed@mail.sprint.com: "RE: *************:BGP and ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:48 GMT-3