From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Dec 10 2004 - 19:27:10 GMT-3
Brian,
What a great example of the sadistic, devious minds of the people that
create the lab. And, one that would probably having me frantically pulling
out my hair until I remembered that with BGP either peer could initiate the
peering session.
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "Edwards, Andrew M" <andrew.m.edwards@boeing.com>; "Brian McGahan"
<bmcgahan@internetworkexpert.com>; "ccie2be" <ccie2be@nyc.rr.com>; "ccie
zeng" <ccie.candidate@gmail.com>; <ccielab@groupstudy.com>
Sent: Friday, December 10, 2004 2:50 PM
Subject: RE: filter www traffic
> Andrew,
>
> Yes, he said the question is to "configure on R1 to filter
> inbound www traffic from R2", but there's no mention of where the client
> or server resides. Is R2 the client? Is R2 running ip http-server? Is
> the client/server behind R2? If this were an actual lab question, the
> best option would be to ask the proctor first. If no more information
> is given I would recommend to configure the filter both ways.
>
> For example, let's say you have the same situation, R1 and R2
> directly connected. A question reads: "Configure R1 to filter inbound
> BGP traffic from R2" How do you configure this? Most people would
> answer to have an access-list that reads "deny tcp any any eq bgp"
> inbound on R1's interface, but look what happens when you do so:
>
> R1#show ip bgp summary
> BGP router identifier 13.0.0.1, local AS number 1
> BGP table version is 1, main routing table version 1
>
> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> State/PfxRcd
> 12.0.0.2 4 1 4 4 1 0 0 00:00:33
> 0
> R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R1(config)#access-list 100 deny tcp any any eq bgp log
> R1(config)#access-list 100 permit tcp any eq bgp any log
> R1(config)#access-list 100 permit ip any any
> R1(config)#int s0/0
> R1(config-if)#ip access-group 100 in
> R1(config-if)#end
> R1#
> %SYS-5-CONFIG_I: Configured from console by console
> R1#clear ip bgp *
> R1#
> %BGP-5-ADJCHANGE: neighbor 12.0.0.2 Down User reset
> %SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
> 12.0.0.1(11001), 1 packet
> %SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
> 12.0.0.1(11002), 1 packet
> %BGP-5-ADJCHANGE: neighbor 12.0.0.2 Up
> R1#show ip bgp summary
> BGP router identifier 13.0.0.1, local AS number 1
> BGP table version is 1, main routing table version 1
>
> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> State/PfxRcd
> 12.0.0.2 4 1 9 9 1 0 0 00:00:09
> 0
> R1#show access-lists
> Extended IP access list 100
> 10 deny tcp any any eq bgp log
> 20 permit tcp any eq bgp any log (8 matches)
> 30 permit ip any any
>
> R1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> R1(config)#router bgp 1
> R1(config-router)#bgp router-id 12.0.0.3
> %BGP-5-ADJCHANGE: neighbor 12.0.0.2 Down Router ID changed
> R1(config-router)#
> %SEC-6-IPACCESSLOGP: list 100 denied tcp 12.0.0.2(11003) ->
> 12.0.0.1(179), 1 packet
> %SEC-6-IPACCESSLOGP: list 100 permitted tcp 12.0.0.2(179) ->
> 12.0.0.1(11003), 1 packet
> %BGP-5-ADJCHANGE: neighbor 12.0.0.2 Up
> R1(config-router)#do show access-lists
> Extended IP access list 100
> 10 deny tcp any any eq bgp log (1 match)
> 20 permit tcp any eq bgp any log (16 matches)
> 30 permit ip any any
>
> The BGP relationship is still up. Why is this happening?
>
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Edwards, Andrew M
> > Sent: Friday, December 10, 2004 11:31 AM
> > To: Brian McGahan; ccie2be; ccie zeng; ccielab@groupstudy.com
> > Subject: RE: filter www traffic
> >
> > Doesn't his question say filter traffic inbound from R2?
> >
> > So it would be only one statement....
> >
> > -----Original Message-----
> > From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> > Sent: Friday, December 10, 2004 6:32 AM
> > To: ccie2be; ccie zeng; ccielab@groupstudy.com
> > Subject: RE: filter www traffic
> >
> >
> > When a client sends an HTTP GET to a web server, is that WWW
> > traffic? When the server replies, is that also WWW traffic? Yes,
> they
> > both are. Therefore since the question didn't state which direction
> the
> > traffic flow is, I would assume to filter both.
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > ccie2be
> > > Sent: Friday, December 10, 2004 7:36 AM
> > > To: ccie zeng; ccielab@groupstudy.com
> > > Subject: Re: filter www traffic
> > >
> > > Wei,
> > >
> > > When you say "filter", do you mean allow only www or deny www?
> > >
> > > Usually, filter means deny, so you're permit statement really should
> > be a
> > > deny statement.
> > >
> > > Now, I'm 95% sure that to filter www traffic, you want to filter
> > traffic
> > > with a destination port of 80 which is what a client uses to request
> > www.
> > > So, the correct acl statement would be:
> > >
> > > access-list 100 deny tcp any any eq www
> > > access-list 100 perm <enter what's permitted or all traffic will be
> > > blocked by implicit deny at end>
> > >
> > > HTH, Tim
> > > ----- Original Message -----
> > > From: "ccie zeng" <ccie.candidate@gmail.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Friday, December 10, 2004 5:07 AM
> > > Subject: filter www traffic
> > >
> > >
> > > > Hi:
> > > > I have following topology
> > > >
> > > > R1 --- R2
> > > > I was asked to configure on R1 to filter inbound www traffic from
> > R2,
> > > > should I configure:
> > > >
> > > > access-list 100 permit tcp any any eq www
> > > > OR
> > > > access-list 100 permit tcp any eq www any
> > > >
> > > > Thanks
> > > > Wei
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:26 GMT-3