From: Yogesh kumar (yogeshksoni@gmail.com)
Date: Tue Nov 09 2004 - 02:42:53 GMT-3
Hi,
This problem was fixed by keeping my config (including ACLs & ip
local policy) and adding "permit tcp any eq bgp any" as Kian had
suggested.
I couldn't have changed the BGP neighbor on this router because I
have no control over the other oute (110.110.110.9) and that router
has the Ethernet address of this router in its neighbor statement.
(btw, to avoid confusion as to why ospf worked with my local policy
as Kian noted, is because ospf is on the inside network and not
affected by the ACLs)
Thanks
-bobby
On Mon, 8 Nov 2004 15:51:26 -0800, Edwards, Andrew M
<andrew.m.edwards@boeing.com> wrote:
> Change the source interface for the bgp NEIGHBOR. You can do this with
> ibgp or ebgp.
>
> neighbor 110.110.110.9 remote-as 60109
> Neighbor 110.110.110.9 up lo0
>
>
>
> -----Original Message-----
> From: Kian Wah Lai [mailto:kian_wah@qala.com.sg]
> Sent: Saturday, November 06, 2004 10:03 PM
> To: METOO CCIE
> Cc: ccielab@groupstudy.com
> Subject: Re: Reflexive ACL and traffic generated by the router
>
> no idea why your OSPF is able to come up. have you tried rebooting and
> see if it is still up?
>
> the easiest way to solve your problem would be (without complicating
> things too much)
> ip access-list extended inboundfilters
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit ospf any any
> evaluate tcptraffic
> evaluate udptraffic
> evaluate icmptraffic
> deny ip any any
> ip access-list extended outboundfilters
> permit tcp any any reflect tcptraffic
> permit udp any any reflect udptraffic
> permit icmp any any reflect icmptraffic
> permit ip any any
> no ip local policy route-map JNK123
>
> Regards,
> Kian Wah
> 3 routers and one PIX rental at SGD2/hr
> http://rack.sgcug.org/
> Singapore Cisco User Group
>
> METOO CCIE wrote:
>
> > Thanks for the suggestion Kian and Anthony.
> >
> > I tried ip local policy and I can see reverse temporary entries get
> > established when this router initiates ip traffic going out of
> > Ethernet 0/0.
> >
> > However, now my BGP connection with 110.110.110.9 does not come up.
> > This neighbor is on Eth 0/0, where reflexive ACL is applied.
> >
> > Here is the extra config that I applied in additoin to the config in
> > my first email. Any idea what can I change to get BGP working?
> >
> > !
> > ip local policy route-map JNK123
> > !
> > access-list 181 deny tcp any any eq bgp ! this still does not
> > allow bgp nei to come up
> > access-list 181 deny ospf any any ! this allows ospf to come
> > up fine
> > access-list 181 permit ip any any
> > !
> > route-map JNK123 permit 10
> > match ip address 181
> > set interface Loopback0
> > !
> > router bgp 167
> > bgp router-id 1.1.1.1
> > neighbor 110.110.110.9 remote-as 60109
> > !
> > !
> > interface Loopback0
> > ip address 1.1.1.1 255.255.255.0
> > !
> > I keep getting following messages:
> > %BGP-3-NOTIFICATION: sent to neighbor 110.110.110.9 4/0 (hold time
> > expired) 0 bytes
> >
> > sh ip bgp nei:
> > ------------------
> > BGP neighbor is 110.110.110.9, remote AS 60109, external link BGP
> > version 4, remote router ID 110.110.110.9 BGP state = OpenConfirm
> >
> > Thanks
> > -bobby
> >
> > _________________________________________________________________
> > Express yourself instantly with MSN Messenger! Download today - it's
> > FREE!
> hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > ______________________________________________________________________
> > _
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3