Re: Reflexive ACL and traffic generated by the router

From: Kian Wah Lai (kian_wah@qala.com.sg)
Date: Sun Nov 07 2004 - 03:03:23 GMT-3

• Next message: AK Singh: "CCIE #14048"
• Previous message: METOO CCIE: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Edwards, Andrew M: "RE: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

no idea why your OSPF is able to come up. have you tried rebooting and
see if it is still up?

the easiest way to solve your problem would be (without complicating
things too much)
ip access-list extended inboundfilters
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit ospf any any
 evaluate tcptraffic
 evaluate udptraffic
 evaluate icmptraffic
 deny ip any any
ip access-list extended outboundfilters
 permit tcp any any reflect tcptraffic
 permit udp any any reflect udptraffic
 permit icmp any any reflect icmptraffic
 permit ip any any
no ip local policy route-map JNK123

Regards,
Kian Wah
3 routers and one PIX rental at SGD2/hr
http://rack.sgcug.org/
Singapore Cisco User Group

METOO CCIE wrote:

> Thanks for the suggestion Kian and Anthony.
>
> I tried ip local policy and I can see reverse temporary entries get
> established when this router initiates ip traffic going out of
> Ethernet 0/0.
>
> However, now my BGP connection with 110.110.110.9 does not come up.
> This neighbor is on Eth 0/0, where reflexive ACL is applied.
>
> Here is the extra config that I applied in additoin to the config in
> my first email. Any idea what can I change to get BGP working?
>
> !
> ip local policy route-map JNK123
> !
> access-list 181 deny tcp any any eq bgp ! this still does not
> allow bgp nei to come up
> access-list 181 deny ospf any any ! this allows ospf to come
> up fine
> access-list 181 permit ip any any
> !
> route-map JNK123 permit 10
> match ip address 181
> set interface Loopback0
> !
> router bgp 167
> bgp router-id 1.1.1.1
> neighbor 110.110.110.9 remote-as 60109
> !
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> !
> I keep getting following messages:
> %BGP-3-NOTIFICATION: sent to neighbor 110.110.110.9 4/0 (hold time
> expired) 0 bytes
>
> sh ip bgp nei:
> ------------------
> BGP neighbor is 110.110.110.9, remote AS 60109, external link
> BGP version 4, remote router ID 110.110.110.9
> BGP state = OpenConfirm
>
> Thanks
> -bobby
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: AK Singh: "CCIE #14048"
• Previous message: METOO CCIE: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Edwards, Andrew M: "RE: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:39 GMT-3