RE: BGP Reflective ACL

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Oct 02 2006 - 21:03:00 ART

If you deny the BGP session one way (i.e. TCP port "gt" 1024 --> TCP
port 179) it'll normally setup the other way (i.e. TCP port 179 <-- TCP
port "gt" 1024). See below:

ip access-list extended INBOUND
deny tcp host 10.10.10.254 eq 179 host 10.10.10.1 gt 1024
permit tcp host 10.10.10.254 gt 1024 host 10.10.10.1 eq 179

ip access-list extended INBOUND
deny tcp host 10.10.10.254 gt 1024 host 10.10.10.1 eq 179
permit tcp host 10.10.10.254 eq 179 host 10.10.10.1 gt 1024

HTH,
 
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
uyota oyearone
Sent: Monday, October 02, 2006 4:48 PM
To: ccielab@groupstudy.com
Subject: BGP Reflective ACL

hey Guys

am really not a security expert, but am trying to understand the
differences btw these two commands , they seems to be doing
thesame thing for me

ip access-list extended INBOUND
permit tcp host 10.10.10.254 eq 179 host 10.10.10.1 gt 1024

AND

ip access-list extended INBOUND
permit tcp host 10.10.10.254 host 10.10.10.1 eq bgp
permit tcp host 10.10.10.254 eq bgp host 10.10.10.1

thanks

Uyota

-- Uyota Oyearone,CCNA,MCDBA,MCSE(Messaging/Security)
IT Consultant (Freelance)
Computer Integrated Solutions
35 Fountainhead rd,Unit 617
Downsview, ON, Canada.
Tel:(416) 3177045, 7414119
uyota@hotmail.com
Network Architecture  Technology Consultants Technical Support  Sales
& Repair

------------------------------------------------------------------------

Buy what you want when you want it on Sympatico / MSN Shopping

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART