From: Nick Griffin (ngriffin@sio.midco.net)
Date: Thu May 25 2006 - 01:17:55 ART
Yeah, my mistake, it depends on the initial setup who's the "server"
from the tcp perspective. Similar to HTTP, etc.
Plank, Jason wrote:
> BGP uses TCP. It uses a random source port.
>
> 2w2d: TCP src=179, dst=12790, seq=0, ack=4117655611, win=0 ACK RST
>
> -------------------
> J. Marshall Plank
> Network Engineer
> 101 Bellevue Parkway
> Wilmington, DE 19809
> E-mail: JPlank@concordefs.com
> Phone: 302-793-5913
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Nick
> Griffin
> Sent: Wednesday, May 24, 2006 11:48 PM
> To: Tony Paterra
> Cc: GroupStudy CCIE
> Subject: Re: RACLs and BGP sessions...
>
> Based on my understanding your correct, BGP does use a random source
> port, there is a range, but right off hand I can't recall( appears to be
> 11000-11002 ). It's not sourced from port 179. So I believe "permit tcp
> any any eq bgp" Inbound would work. And your right on with RIP, udp
> source/destination 520, I think what you have for RIP would work as well.
>
> My .02
>
>
> Tony Paterra wrote:
>
>> All quick question regarding reflexive ACLs and BGP... If we have a
>> router with an "outside" ethernet interface and we want to allow BGP
>> routing updates I have seen it configured like this statically in a
>> RACL...
>>
>> ip access-list extended OUT_ACL
>> permit tcp any any reflect REFLECTED
>> permit icmp any any reflect REFLECTED
>> permit udp any any reflect REFLECTED
>>
>> ip access-list extended IN_ACL
>> permit tcp any any eq bgp
>> permit tcp any eq bgp any
>> permit udp any any eq rip
>> eval REFLECTED
>>
>> int e0/0
>> description Outside interface
>> ip access-group IN_ACL in
>> ip access-group OUT_ACL out
>>
>>
>> My natural reaction is to say "permit tcp any any eq bgp" and leave it
>> at that instead of saying "permit tcp any eq bgp any" as well. My
>> guess is that my router sources BGP updates from a random available
>> port to port 179 (i.e. local port = random, dst port = neighbor's port
>> 179) and expects to receive from the neighbor's random port destined
>> to my local port 179 (neighbor's local port = random dst port = my
>> port 179, is my mind on the right track? If this is the case,
>> shouldn't RIP updates be configured like so...
>>
>> permit udp any eq rip any eq rip
>>
>> I'm seeing all the RIP communication come SRC/DST from port 520 which
>> leads me to believe this...
>>
>>
>> As always, I appreciate the help.
>>
>> Tony Paterra
>> apaterra@gmail.com
>>
>> _______________________________________________________________________
>> Subscription information may be found
>> at:http://www.groupstudy.com/list/CCIELab.html
>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------
> The information in this message may be proprietary and/or
> confidential, and protected from disclosure. If the reader of this
> message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient,
> you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this communication in error, please notify First Data
> immediately by replying to this message and deleting it from your
> computer.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART