Security - Bgp session

From: gladston@br.ibm.com
Date: Mon Aug 16 2004 - 15:34:48 GMT-3

• Next message: Peng Zheng: "ARP problem"
• Previous message: Wayne Lawson: "Re: off topic - Hats off to those with numbers IE numbers below"
• Next in thread: kasturi cisco: "RE: Security - Bgp session"
• Maybe reply: kasturi cisco: "RE: Security - Bgp session"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have seem same Security example using reflexive list where BGP session is explicit permitted in two ways. Am I wrong or it is necessary only one way?(because if the local router starts the session, it will be allowed by the reflexive list)

For example:

R1 is connected to R2 using serial0.

R1
 int ser 0
   ip ad 172.16.1.1 255.255.255.0
   ip access-group out Outbound
   ip access-group in Inbound
  !
  ip access-list extended Outbound
   permit ip any any reflect Traffic
  !
  ip access-list extended Inbound
   permit tcp host 172.16.1.2 eq bgp host 172.16.1.1
   evaluate Traffic

If the BGP session is started by R1, the Outbound list will permit it and create the dynamic rule to allow the returning traffic.
If the BGP session is started by R2, the Inbound list will permit it.

What I have seem is:
permit tcp host 172.16.1.2 eq bgp host 172.16.1.1
permit tcp host 172.16.1.2 host 172.16.1.1 eq bgp

• Next message: Peng Zheng: "ARP problem"
• Previous message: Wayne Lawson: "Re: off topic - Hats off to those with numbers IE numbers below"
• Next in thread: kasturi cisco: "RE: Security - Bgp session"
• Maybe reply: kasturi cisco: "RE: Security - Bgp session"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:44 GMT-3