RE: RACLs and BGP sessions...

From: Plank, Jason (JPlank@concordefs.com)
Date: Thu May 25 2006 - 01:04:13 ART

• Next message: Nick Griffin: "Re: RACLs and BGP sessions..."
• Previous message: Nick Griffin: "Re: RACLs and BGP sessions..."
• Maybe in reply to: Tony Paterra: "RACLs and BGP sessions..."
• Next in thread: Nick Griffin: "Re: RACLs and BGP sessions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

BGP uses TCP. It uses a random source port.

2w2d: TCP src=179, dst=12790, seq=0, ack=4117655611, win=0 ACK RST

-------------------
J. Marshall Plank
Network Engineer
101 Bellevue Parkway
Wilmington, DE 19809
E-mail: JPlank@concordefs.com
Phone: 302-793-5913

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Nick
Griffin
Sent: Wednesday, May 24, 2006 11:48 PM
To: Tony Paterra
Cc: GroupStudy CCIE
Subject: Re: RACLs and BGP sessions...

Based on my understanding your correct, BGP does use a random source
port, there is a range, but right off hand I can't recall( appears to be
11000-11002 ). It's not sourced from port 179. So I believe "permit tcp
any any eq bgp" Inbound would work. And your right on with RIP, udp
source/destination 520, I think what you have for RIP would work as well.

My .02

Tony Paterra wrote:
> All quick question regarding reflexive ACLs and BGP... If we have a
> router with an "outside" ethernet interface and we want to allow BGP
> routing updates I have seen it configured like this statically in a
> RACL...
>
> ip access-list extended OUT_ACL
> permit tcp any any reflect REFLECTED
> permit icmp any any reflect REFLECTED
> permit udp any any reflect REFLECTED
>
> ip access-list extended IN_ACL
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit udp any any eq rip
> eval REFLECTED
>
> int e0/0
> description Outside interface
> ip access-group IN_ACL in
> ip access-group OUT_ACL out
>
>
> My natural reaction is to say "permit tcp any any eq bgp" and leave it
> at that instead of saying "permit tcp any eq bgp any" as well. My
> guess is that my router sources BGP updates from a random available
> port to port 179 (i.e. local port = random, dst port = neighbor's port
> 179) and expects to receive from the neighbor's random port destined
> to my local port 179 (neighbor's local port = random dst port = my
> port 179, is my mind on the right track? If this is the case,
> shouldn't RIP updates be configured like so...
>
> permit udp any eq rip any eq rip
>
> I'm seeing all the RIP communication come SRC/DST from port 520 which
> leads me to believe this...
>
>
> As always, I appreciate the help.
>
> Tony Paterra
> apaterra@gmail.com
>
> _______________________________________________________________________
> Subscription information may be found
> at:http://www.groupstudy.com/list/CCIELab.html

• Next message: Nick Griffin: "Re: RACLs and BGP sessions..."
• Previous message: Nick Griffin: "Re: RACLs and BGP sessions..."
• Maybe in reply to: Tony Paterra: "RACLs and BGP sessions..."
• Next in thread: Nick Griffin: "Re: RACLs and BGP sessions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART