From: ian (iyux2000@gmail.com)
Date: Thu Mar 08 2007 - 03:51:33 ART
Digital Yemeni,How are you#!
I personally think that there is no need for "permit tcp any eq bgp any". Because the BGP traffic that going outside would be reflexiable. And the only inbound traffic that BGP needed is "permit tcp any any eq bgp". Am i right?
======= 2007-03-08 13:30:56 What you've mentioned in your letter#:=======
>By the way,
>
>ip access-list extended INBOUND
>> permit icmp any any
>> permit tcp any any eq bgp
>> permit tcp any eq bgp any
>> permit tcp any any eq telnet
>> permit tcp any eq telnet any
>> evaluate REF
>
>R2#show ip access-list
>>Extended IP access list INBOUND
>> 10 permit icmp any any
>> 20 permit eigrp any any (8829 matches)
>> 30 permit tcp any any eq bgp
>> 40 permit tcp any any eq telnet (370 matches)
>> 50 permit tcp any eq telnet any
>> 60 evaluate REF
>
>
>The ACL definition and the show command don't taly! I can see the "permit
>tcp any any eq bgp" but where is the "permit tcp any eq bgp any" ??!
>
>Best Regards,
>
>Digital
>------------------------------------------------------------------------------------------------------------------
>
>
>***********************************************************************************
>*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
>sleep! *.*
>***********************************************************************************
>I've not slept for the past 5 years and I'm expected to be busy for the next
>57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please be
>concise on your email. Thank you!
>
>
>By tr
>
>
>>From: achievewoo@gmail.com
>>Reply-To: achievewoo@gmail.com
>>To: ccielab@groupstudy.com
>>Subject: Reflective access-list over BGP
>>Date: Wed, 7 Mar 2007 20:57:33 -0500
>>
>>Hi, GS
>> Here is simply topolog
>> R1--vlan 1---R2--vlan2--R3
>> R1 and R3 are BGP peers, but R2 is not.
>> I tried to do reflective access-list on R2, permit Routing Prtocol(BGP)
>>and ICMP both inbound and outbound. TCP and UDP traffic only be permitted
>>from vlan1 to vlan 2. However, TCP and UDP traffice which original from
>>vlan 2 are not permit go to vlan 1.
>> My configuration as follows.
>>
>>ip access-list extended INBOUND
>> permit icmp any any
>> permit tcp any any eq bgp
>> permit tcp any eq bgp any
>> permit tcp any any eq telnet
>> permit tcp any eq telnet any
>> evaluate REF
>>ip access-list extended OUTBOUND
>> permit icmp any any
>> permit tcp any any reflect REF
>> permit udp any any reflect REF
>>
>>Here is output
>>R2#show ip access-list
>>Extended IP access list INBOUND
>> 10 permit icmp any any
>> 20 permit eigrp any any (8829 matches)
>> 30 permit tcp any any eq bgp
>> 40 permit tcp any any eq telnet (370 matches)
>> 50 permit tcp any eq telnet any
>> 60 evaluate REF
>>Extended IP access list OUTBOUND
>> 10 permit icmp any any
>> 20 permit tcp any any reflect REF (148 matches)
>> 30 permit udp any any reflect REF
>>Reflexive IP access list REF
>> permit tcp host 1.1.1.1 eq bgp host 1.1.5.5 eq 18895 (24 matches)
>>(time left 283)
>>
>>My question is why there is no match at list "30 permit tcp any any eq
>>bgp"
>>Should I put another list permit tcp any eq bgp any ?
>>Any ideas?
>>
>>Thanks!
>>
>>My question is why there is no match at this list:
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.com/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
= = = = = = = = = = = = = = = = = = = =
!!!!!!!!!!!!!!!!Have a nice day.
!!!!!!!!!!!!!!!!ian
!!!!!!!!!!!!!!!!iyux2000@gmail.com
!!!!!!!!!!!!!!!!!!!!2007-03-08
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART