RE: Reflexive ACL and traffic generated by the router

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Mon Nov 08 2004 - 20:51:26 GMT-3

• Next message: ccie2be: "Re: R&S lab: Expert versus Expert"
• Previous message: Edwards, Andrew M: "RE: dhcp and address negotiation over an isdn link"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Yogesh kumar: "Re: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Change the source interface for the bgp NEIGHBOR. You can do this with
ibgp or ebgp.

neighbor 110.110.110.9 remote-as 60109
Neighbor 110.110.110.9 up lo0

-----Original Message-----
From: Kian Wah Lai [mailto:kian_wah@qala.com.sg]
Sent: Saturday, November 06, 2004 10:03 PM
To: METOO CCIE
Cc: ccielab@groupstudy.com
Subject: Re: Reflexive ACL and traffic generated by the router

no idea why your OSPF is able to come up. have you tried rebooting and
see if it is still up?

the easiest way to solve your problem would be (without complicating
things too much)
ip access-list extended inboundfilters
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit ospf any any
 evaluate tcptraffic
 evaluate udptraffic
 evaluate icmptraffic
 deny ip any any
ip access-list extended outboundfilters
 permit tcp any any reflect tcptraffic
 permit udp any any reflect udptraffic
 permit icmp any any reflect icmptraffic
 permit ip any any
no ip local policy route-map JNK123

Regards,
Kian Wah
3 routers and one PIX rental at SGD2/hr
http://rack.sgcug.org/
Singapore Cisco User Group

METOO CCIE wrote:

> Thanks for the suggestion Kian and Anthony.
>
> I tried ip local policy and I can see reverse temporary entries get
> established when this router initiates ip traffic going out of
> Ethernet 0/0.
>
> However, now my BGP connection with 110.110.110.9 does not come up.
> This neighbor is on Eth 0/0, where reflexive ACL is applied.
>
> Here is the extra config that I applied in additoin to the config in
> my first email. Any idea what can I change to get BGP working?
>
> !
> ip local policy route-map JNK123
> !
> access-list 181 deny tcp any any eq bgp ! this still does not
> allow bgp nei to come up
> access-list 181 deny ospf any any ! this allows ospf to come
> up fine
> access-list 181 permit ip any any
> !
> route-map JNK123 permit 10
> match ip address 181
> set interface Loopback0
> !
> router bgp 167
> bgp router-id 1.1.1.1
> neighbor 110.110.110.9 remote-as 60109
> !
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> !
> I keep getting following messages:
> %BGP-3-NOTIFICATION: sent to neighbor 110.110.110.9 4/0 (hold time
> expired) 0 bytes
>
> sh ip bgp nei:
> ------------------
> BGP neighbor is 110.110.110.9, remote AS 60109, external link BGP
> version 4, remote router ID 110.110.110.9 BGP state = OpenConfirm
>
> Thanks
> -bobby
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "Re: R&S lab: Expert versus Expert"
• Previous message: Edwards, Andrew M: "RE: dhcp and address negotiation over an isdn link"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Yogesh kumar: "Re: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3