From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Dec 10 2004 - 16:50:50 GMT-3
Andrew,
Yes, he said the question is to "configure on R1 to filter
inbound www traffic from R2", but there's no mention of where the client
or server resides. Is R2 the client? Is R2 running ip http-server? Is
the client/server behind R2? If this were an actual lab question, the
best option would be to ask the proctor first. If no more information
is given I would recommend to configure the filter both ways.
For example, let's say you have the same situation, R1 and R2
directly connected. A question reads: "Configure R1 to filter inbound
BGP traffic from R2" How do you configure this? Most people would
answer to have an access-list that reads "deny tcp any any eq bgp"
inbound on R1's interface, but look what happens when you do so:
R1#show ip bgp summary
BGP router identifier 13.0.0.1, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
12.0.0.2 4 1 4 4 1 0 0 00:00:33
0
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 100 deny tcp any any eq bgp log
R1(config)#access-list 100 permit tcp any eq bgp any log
R1(config)#access-list 100 permit ip any any
R1(config)#int s0/0
R1(config-if)#ip access-group 100 in
R1(config-if)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#clear ip bgp *
R1#
%BGP-5-ADJCHANGE: neighbor 12.0.0.2 Down User reset
%SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
12.0.0.1(11001), 1 packet
%SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
12.0.0.1(11002), 1 packet
%BGP-5-ADJCHANGE: neighbor 12.0.0.2 Up
R1#show ip bgp summary
BGP router identifier 13.0.0.1, local AS number 1
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
12.0.0.2 4 1 9 9 1 0 0 00:00:09
0
R1#show access-lists
Extended IP access list 100
10 deny tcp any any eq bgp log
20 permit tcp any eq bgp any log (8 matches)
30 permit ip any any
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router bgp 1
R1(config-router)#bgp router-id 12.0.0.3
%BGP-5-ADJCHANGE: neighbor 12.0.0.2 Down Router ID changed
R1(config-router)#
%SEC-6-IPACCESSLOGP: list 100 denied tcp 12.0.0.2(11003) ->
12.0.0.1(179), 1 packet
%SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
12.0.0.1(11003), 1 packet
%BGP-5-ADJCHANGE: neighbor 12.0.0.2 Up
R1(config-router)#do show access-lists
Extended IP access list 100
10 deny tcp any any eq bgp log (1 match)
20 permit tcp any eq bgp any log (16 matches)
30 permit ip any any
The BGP relationship is still up. Why is this happening?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Edwards, Andrew M
> Sent: Friday, December 10, 2004 11:31 AM
> To: Brian McGahan; ccie2be; ccie zeng; ccielab@groupstudy.com
> Subject: RE: filter www traffic
>
> Doesn't his question say filter traffic inbound from R2?
>
> So it would be only one statement....
>
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: Friday, December 10, 2004 6:32 AM
> To: ccie2be; ccie zeng; ccielab@groupstudy.com
> Subject: RE: filter www traffic
>
>
> When a client sends an HTTP GET to a web server, is that WWW
> traffic? When the server replies, is that also WWW traffic? Yes,
they
> both are. Therefore since the question didn't state which direction
the
> traffic flow is, I would assume to filter both.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Friday, December 10, 2004 7:36 AM
> > To: ccie zeng; ccielab@groupstudy.com
> > Subject: Re: filter www traffic
> >
> > Wei,
> >
> > When you say "filter", do you mean allow only www or deny www?
> >
> > Usually, filter means deny, so you're permit statement really should
> be a
> > deny statement.
> >
> > Now, I'm 95% sure that to filter www traffic, you want to filter
> traffic
> > with a destination port of 80 which is what a client uses to request
> www.
> > So, the correct acl statement would be:
> >
> > access-list 100 deny tcp any any eq www
> > access-list 100 perm <enter what's permitted or all traffic will be
> > blocked by implicit deny at end>
> >
> > HTH, Tim
> > ----- Original Message -----
> > From: "ccie zeng" <ccie.candidate@gmail.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Friday, December 10, 2004 5:07 AM
> > Subject: filter www traffic
> >
> >
> > > Hi:
> > > I have following topology
> > >
> > > R1 --- R2
> > > I was asked to configure on R1 to filter inbound www traffic from
> R2,
> > > should I configure:
> > >
> > > access-list 100 permit tcp any any eq www
> > > OR
> > > access-list 100 permit tcp any eq www any
> > >
> > > Thanks
> > > Wei
> > >
> > >
>
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3