From: Plank, Jason (JPlank@concordefs.com)
Date: Thu May 25 2006 - 00:39:07 ART
That would seem to make sense since rip = udp 520
-------------------
J. Marshall Plank
Network Engineer
101 Bellevue Parkway
Wilmington, DE 19809
E-mail: JPlank@concordefs.com
Phone: 302-793-5913
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tony
Paterra
Sent: Wednesday, May 24, 2006 11:32 PM
To: GroupStudy CCIE
Subject: RACLs and BGP sessions...
All quick question regarding reflexive ACLs and BGP... If we have a
router with an "outside" ethernet interface and we want to allow BGP
routing updates I have seen it configured like this statically in a
RACL...
ip access-list extended OUT_ACL
permit tcp any any reflect REFLECTED
permit icmp any any reflect REFLECTED
permit udp any any reflect REFLECTED
ip access-list extended IN_ACL
permit tcp any any eq bgp
permit tcp any eq bgp any
permit udp any any eq rip
eval REFLECTED
int e0/0
description Outside interface
ip access-group IN_ACL in
ip access-group OUT_ACL out
My natural reaction is to say "permit tcp any any eq bgp" and leave
it at that instead of saying "permit tcp any eq bgp any" as well. My
guess is that my router sources BGP updates from a random available
port to port 179 (i.e. local port = random, dst port = neighbor's
port 179) and expects to receive from the neighbor's random port
destined to my local port 179 (neighbor's local port = random dst
port = my port 179, is my mind on the right track? If this is the
case, shouldn't RIP updates be configured like so...
permit udp any eq rip any eq rip
I'm seeing all the RIP communication come SRC/DST from port 520 which
leads me to believe this...
As always, I appreciate the help.
Tony Paterra
apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART