From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Aug 03 2006 - 10:17:20 ART
It depends on who is the TCP client and who is the TCP server in
the BGP connection. Assuming there is no other filtering anywhere in
the transit path that should be fine, however to be safe you should
technically say:
permit tcp any any eq bgp <--- I am the TCP server
permit tcp any eq bgp any <--- I am the TCP client
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: Hafizur Rahman (UK) [mailto:hafizur.rahman@uk.didata.com]
> Sent: Thursday, August 03, 2006 2:57 AM
> To: Brian McGahan; Sami; Magmax
> Cc: David Redfern (AU); ccielab@groupstudy.com
> Subject: RE: reflexive acl's and bgp orf
>
> But BGP on the local router will still work with out using following
line
>
> permit tcp any eq bgp any
>
> Could any one pls confirm this?
>
> Thanks
>
> hafi
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of Brian McGahan
> Sent: Thu 03/08/2006 00:32
> To: Sami; Magmax
> Cc: David Redfern (AU); ccielab@groupstudy.com
> Subject: RE: reflexive acl's and bgp orf
>
>
>
> If the local device is running BGP then yes. Outbound
> access-lists do not affect locally generated traffic, so BGP
will
> not be
> reflected. You can trick the router into reflecting it by using
> local
> policy routing, but this is going out of the way to solve a
problem
> that
> shouldn't be that complex. Simply use the two statements you
> listed,
> TCP source 179 and TCP destination 179, and BGP will be
permitted.
> This
> hold true for any other locally generated traffic as well, OSPF,
> RIP,
> GRE, etc.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> Of
> > Sami
> > Sent: Wednesday, August 02, 2006 5:23 PM
> > To: Magmax
> > Cc: David Redfern (AU); ccielab@groupstudy.com
> > Subject: Re: reflexive acl's and bgp orf
> >
> > Another question .about reflexive access list
> >
> > permit tcp any any reflect MYREFLECT --> this line allow all
the
> tcp
> > traffic , bgp is also running . Do we need to permit
explictly
> bgp in
> > outbound direction or not ?
> >
> > permit tcp any any eq bgp
> > permit tcp any eq bgp any
> >
> > Thanks
> > ..
> >
> >
> > On 7/23/06, Magmax <magmax@bigpond.net.au> wrote:
> > >
> > > David,
> > >
> > > It is same thing mate but you will be permitting traffic
other
> than
> TCP,
> > > UDP, and ICMP like EIGRP or ESP
> > >
> > > Please feel free to correct my concept
> > >
> > >
> > > Regards,
> > >
> > > Ubaid
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> Behalf
> Of
> > > David Redfern (AU)
> > > Sent: Sunday, 23 July 2006 7:38 PM
> > > To: ccielab@groupstudy.com
> > > Subject: reflexive acl's and bgp orf
> > >
> > > Hi Guys,
> > >
> > > Just working IEWB lab 15 and just want to brainstorm
everyones
> thoughts.
> > >
> > > Couple of questions
> > >
> > >
> > > REFLEXIVE ACCESS LISTS
> > >
> > >
> > > A lot of practice labs which ask for reflexive access-lists
have
> the
> > > following outbound
> > >
> > >
> > > ip access-list extended OUTBOUND
> > > permit tcp any any reflect MYREFLECT
> > > permit udp any any reflect MYREFLECT
> > > permit icmp any any reflect MYREFLECT
> > >
> > >
> > >
> > > Does anyone know if you must use all 3 entries for any
reason
> or
> simply
> > > one statement below can be used in its place when using
> Reflexive
> access
> > > lists.
> > >
> > > ip access-list extended OUTBOUND
> > > permit ip any any reflect MYREFLECT
> > >
> > >
> > > When i use the above and i seem to achieve the same result.
Any
> ideas?
> > >
> > >
> > >
> > >
> > > BGP OUTBOUND ROUTE FILTERING
> > >
> > > All documenation suggests the below command must be entered
> under
> > > address family configuration and not directly under the
routing
> process.
> > > When i do this directly under it works. But on some IOS it
is
> not
> > > showing up in the running config.
> > > Verification of sh ip bgp nei shows the route-filter
applied.
> > >
> > > Is ipv4 unicast the default and is that why it works?
> > >
> > > Any ideas of best practice?
> > >
> > >
> > > neighbor x.x.x.x capability orf prefix-list send/receive/bot
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
********************************************************************
> ****
> **
> > **
> > > *
> > > *
> > > - NOTICE FROM DIMENSION DATA AUSTRALIA
> > > This message is confidential, and may contain proprietary or
> legally
> > > privileged information. If you have received this email in
> error,
> > please
> > > notify the sender and delete it immediately.
> > >
> > > Internet communications are not secure. You should scan this
> message
> and
> > > any
> > > attachments for viruses. Under no circumstances do we
accept
> liability
> > > for
> > > any loss or damage which may result from your receipt of
this
> message or
> > > any
> > > attachments.
> > >
> > >
> >
>
********************************************************************
> ****
> **
> > **
> > > *
> > > *
> > >
> > >
>
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:55 ART