From: Scott, Tyson C (tyson.scott@hp.com)
Date: Thu Feb 19 2004 - 11:09:20 GMT-3
You will also need to make sure you allow the traffic both ways or make
sure you find out which way BGP was initiated. You can do this by
issuing the command show ip bgp neighbors. You will find the following
in there
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Local host: 150.6.1.1, Local port: 179
Foreign host: 150.6.3.3, Foreign port: 11025
With that you can create a more specific ACL. But if you just want to
make sure it works and take a shortcut you would do something according
to the following.
Ip access-list extended REFLEX
Permit tcp host 1.1.1.1 host 2.2.2.2 eq bgp
Permit tcp host 1.1.1.1 eq bgp host 2.2.2.2
Evaluate {reflexive}
Regards,
Tyson Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ahmed Mustafa
Sent: Thursday, February 19, 2004 2:24 AM
To: alsontra@hotmail.com; ccielab@groupstudy.com
Subject: Re: Reflexsive access-list
You would still have to allow your routing protocols from outside
routers.
If for example, you are running BGP between Internal and external
network.
Reflexive access-list will deny any request initiated from outside and
that
will bring your bgp domain down.
HTH,
----- Original Message -----
From: <alsontra@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, February 19, 2004 1:00 AM
Subject: Reflexsive access-list
> All,
> If I use a reflexive ACL on an interface that is actively
participating in
> BGP, EIGRP and or OSPF, do I need to add statements allowing these
protocols
> thought the ACL? As I understand it, locally originated traffic is
not
> affected by ACLs. This would mean that routing protocols are exempt
from
> outbound ACLs, reflexive or otherwise. Correct?
>
> Thanks,
> Alsontra
>
>
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:51 GMT-3