RE: ´ð¸´: BGP Session Startup (tuni
From: Ken.Farrington@barclayscapital.com
Date: Mon Dec 08 2003 - 16:08:10 GMT-3
and it works a dream :))
-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: 04 December 2003 05:54
To: 'ericdong'; ccielab@groupstudy.com
Subject: RE: B4C0B8B4: BGP Session Startup (tuning this)
No, there is no command to set BGP to be "passive" in establishing a
session. You can apply an access-list outbound that stops traffic going to
TCP port 179, but since an outbound access-list does not normally affect
locally generated traffic it takes a little magic to get it to work.
ip local policy route-map LOCAL_POLICY
!
interface Ethernet0/1
ip access-group 101 out
!
access-list 100 permit tcp any any eq bgp
!
access-list 101 deny tcp any any eq bgp
access-list 101 permit ip any any
!
route-map LOCAL_POLICY permit 10
match ip address 100
set interface Loopback0
The above config will force the router to treat locally generated
BGP traffic as transit. Note that the ttl of the packet is decremented
locally before exiting the router, so if you are trying to establish an EBGP
peering session you'll need to add ebgp-multihop.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ericdong
> Sent: Wednesday, December 03, 2003 8:36 PM
> To: ccielab@groupstudy.com
> Subject: g-�e$: BGP Session Startup (tuning this)
>
> I meet the same question, have you found the answer?
>
> -----SJ<~T-<~-----
> 7"<~HK: nobody@groupstudy.com [mailto:nobody@groupstudy.com] 4z1m
> Ken.Farrington@barclayscapital.com
> 7"KMJ1<d: 2003Dj11TB26HU 6:22
> JU<~HK: ccielab@groupstudy.com
> VwLb: BGP Session Startup (tuning this)
>
> Good evening all :-)
>
> From the output below, you can see that on my two router network, either
> router can start
> the BGP session. The thing is, I only want one router (ATM-BB) to be
> able
> to start the session, ie
> open a TCP session to port 179. I dont ever want the other router
> (TEST2)
> to start a TCP session with
> a destination port of 179.
>
> So, the only way I figure I can do this is by putting an inbound ACL on
> the
> ATM-BB router and it works fine (Config below)
>
> Question is, is this what you have to do to make this work or is there
> an
> equiv of an DLSW Passive command for BGP?
> and,
> what is the criteria, for who starts the session first, say, no ACL is
> applied and you do a clear ip bgp (must be sommat to do with the active
> timer or sommat)
>
> Many thx indeed,
> Ken
>
>
> Config on ATM-BB Router
> -----------------------
> !
> interface FastEthernet1
> ip address 200.201.1.1 255.255.255.0
> ip access-group 111 in
> !
> router bgp 253
> neighbor 200.201.1.2 remote-as 5
> !
> access-list 111 deny tcp any any eq bgp
> access-list 111 permit ip any any
>
>
> Config on TEST2 Router
> ----------------------
> !
> interface FastEthernet1
> ip address 200.201.1.2 255.255.255.0
> !
> router bgp 5
> neighbor 200.201.1.1 remote-as 253
>
>
>
>
>
>
>
>
> Results with ACL, Test2 gets "access denied" when tring to start the BGP
> session and then by the syn-ack received
> back on ATM-BB, you know that ATM-BB has sent the SYN and started the
> session.
>
>
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> 00:53:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44,
> access
> denie
> d
> 00:53:26: TCP src=11017, dst=179, seq=2342290847, ack=0, win=16384
> SYN
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> 00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1
> (FastEthernet1),
> len
> 44, rcvd 3
> 00:53:40: TCP src=179, dst=11018, seq=1245489616, ack=2525366980,
> win=16384
> ACK SYN
> 00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd
> 0
> 00:53:40: TCP src=179, dst=11018, seq=1245489617, ack=2525367025,
> win=16339
> ACK PSH
> 00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:53:40: TCP src=179, dst=11018, seq=1245489662, ack=2525367044,
> win=16320
> ACK PSH
> 00:53:40: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
> 00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:53:40: TCP src=179, dst=11018, seq=1245489681, ack=2525367108,
> win=16256
> ACK PSH
> 00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd
> 0
> 00:53:40: TCP src=179, dst=11018, seq=1245489700, ack=2525367146,
> win=16218
> ACK
> ATM-BB#
> ATM-BB#
> ATM-BB#
>
>
>
>
>
>
>
>
> ********Router TEST2 starts the BGP session**********************
> ATM-BB#
> ATM-BB#
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708026, ack=0, win=16384
> SYN
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,
> win=16384 A
> CK
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,
> win=16384 A
> CK PSH
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708072, ack=243242652,
> win=16339 A
> CK PSH
> 00:11:26: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242671,
> win=16320 A
> CK
> 00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242773,
> win=16218 A
> CK PSH
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> 00:12:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:12:27: TCP src=11005, dst=179, seq=3186708110, ack=243242792,
> win=16199 A
> CK PSH
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> 00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:13:27: TCP src=11005, dst=179, seq=3186708129, ack=243242811,
> win=16180 A
> CK PSH
> 00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 111,
> rcvd 0
> 00:13:27: TCP src=11005, dst=179, seq=3186708148, ack=243242811,
> win=16180 A
> CK PSH
>
>
>
>
>
> TEST2#
> TEST2#
> TEST2#
> 00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2
> (FastEthernet1),
> len
> 44, rcvd 3
> 00:11:23: TCP src=179, dst=11005, seq=243242606, ack=3186708027,
> win=16384 A
> CK SYN
> 00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd
> 0
> 00:11:23: TCP src=179, dst=11005, seq=243242607, ack=3186708072,
> win=16339 A
> CK PSH
> 00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:11:23: TCP src=179, dst=11005, seq=243242652, ack=3186708091,
> win=16320 A
> CK PSH
> 00:11:23: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up
> 00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 142,
> rcvd 0
> 00:11:23: TCP src=179, dst=11005, seq=243242671, ack=3186708091,
> win=16320 A
> CK PSH
> 00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:11:23: TCP src=179, dst=11005, seq=243242773, ack=3186708110,
> win=16301 A
> CK
> TEST2#
> TEST2#
> TEST2#
> 00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:12:24: TCP src=179, dst=11005, seq=243242773, ack=3186708110,
> win=16301 A
> CK PSH
> 00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:12:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,
> win=16282 A
> CK
> TEST2#
> TEST2#
> TEST2#
> TEST2#
> TEST2#
> TEST2#
> TEST2#
> TEST2#
> 00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:13:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,
> win=16282 A
> CK PSH
> 00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708148,
> win=16263 A
> CK
> 00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708219,
> win=16192 A
> CK
>
>
>
>
> ------------------------------------------------------------------------
> ----
> ---------
>
>
>
>
>
>
>
>
>
>
>
> ********Router ATM-BB starts the BGP session**********************
> TEST2#
> TEST2#
> TEST2#
> 00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 44, rcvd
> 0
> 00:15:46: TCP src=11004, dst=179, seq=1036704196, ack=0, win=16384
> SYN
> 00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,
> win=16384
> ACK
> 00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd
> 0
> 00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,
> win=16384
> ACK PSH
> 00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:15:46: TCP src=11004, dst=179, seq=1036704242, ack=3716649416,
> win=16339
> ACK PSH
> 00:15:46: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up
> 00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649435,
> win=16320
> ACK
> 00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649525,
> win=16230
> ACK PSH
> 00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd
> 0
> 00:16:47: TCP src=11004, dst=179, seq=1036704280, ack=3716649525,
> win=16230
> ACK PSH
> 00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd
> 0
> 00:16:47: TCP src=11004, dst=179, seq=1036704299, ack=3716649544,
> win=16211
> ACK
> TEST2#
>
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> ATM-BB#
> 00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1
> (FastEthernet1),
> len
> 44, rcvd 3
> 00:15:49: TCP src=179, dst=11004, seq=3716649370, ack=1036704197,
> win=16384
> ACK SYN
> 00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd
> 0
> 00:15:49: TCP src=179, dst=11004, seq=3716649371, ack=1036704242,
> win=16339
> ACK PSH
> 00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:15:49: TCP src=179, dst=11004, seq=3716649416, ack=1036704261,
> win=16320
> ACK PSH
> 00:15:49: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
> 00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 130,
> rcvd 0
> 00:15:50: TCP src=179, dst=11004, seq=3716649435, ack=1036704261,
> win=16320
> ACK PSH
> 00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd
> 0
> 00:15:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704280,
> win=16301
> ACK
> 00:16:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd
> 0
> 00:16:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704299,
> win=16282
> ACK PSH
> ATM-BB#
>
>
> ------------------------------------------------------------------------
> For more information about Barclays Capital, please
> visit our web site at http://www.barcap.com.
>
>
> Internet communications are not secure and therefore the Barclays
> Group does not accept legal responsibility for the contents of this
> message. Although the Barclays Group operates anti-virus programmes,
> it does not accept responsibility for any damage whatsoever that is
> caused by viruses being passed. Any views or opinions presented are
> solely those of the author and do not necessarily represent those of the
>
> Barclays Group. Replies to this email may be monitored by the Barclays
> Group for operational or business reasons.
>
> ------------------------------------------------------------------------
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Sat Jan 03 2004 - 08:25:37 GMT-3