From: Digital Yemeni (digital-yemeni@hotmail.com)
Date: Thu Mar 08 2007 - 06:06:11 ART
I think you're mistaken!
OK! It works this way,
When BGP is initated from one router, it becomes the client so just look at
the source port which is randomly assigned and the destination port (tcp
port 179 in this case) which is the BGP port of the far end router (in this
case, the server per say!!) So, you would need to flip the scenario also
because the server may become the client (maybe because of disconnection or
so) and the client may end up as the server! That's it ;-) easy right?!
Best Regards,
Digital
------------------------------------------------------------------------------------------------------------------
***********************************************************************************
*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
sleep! *.*
***********************************************************************************
I've not slept for the past 5 years and I'm expected to be busy for the next
57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please be
concise on your email. Thank you!
>From: "ian" <iyux2000@gmail.com>
>Reply-To: "ian" <iyux2000@gmail.com>
>To: "Digital Yemeni" <digital-yemeni@hotmail.com>, "achievewoo"
><achievewoo@gmail.com>, "ccielab" <ccielab@groupstudy.com>
>Subject: Re: RE: Reflective access-list over BGP
>Date: Thu, 8 Mar 2007 17:51:33 +1100
>
>Digital Yemeni,How are you#!
>
> I personally think that there is no need for "permit tcp any eq bgp
>any". Because the BGP traffic that going outside would be reflexiable. And
>the only inbound traffic that BGP needed is "permit tcp any any eq bgp". Am
>i right?
>
>
>======= 2007-03-08 13:30:56 What you've mentioned in your letter#:=======
>
> >By the way,
> >
> >ip access-list extended INBOUND
> >> permit icmp any any
> >> permit tcp any any eq bgp
> >> permit tcp any eq bgp any
> >> permit tcp any any eq telnet
> >> permit tcp any eq telnet any
> >> evaluate REF
> >
> >R2#show ip access-list
> >>Extended IP access list INBOUND
> >> 10 permit icmp any any
> >> 20 permit eigrp any any (8829 matches)
> >> 30 permit tcp any any eq bgp
> >> 40 permit tcp any any eq telnet (370 matches)
> >> 50 permit tcp any eq telnet any
> >> 60 evaluate REF
> >
> >
> >The ACL definition and the show command don't taly! I can see the "permit
> >tcp any any eq bgp" but where is the "permit tcp any eq bgp any" ??!
> >
> >Best Regards,
> >
> >Digital
> >------------------------------------------------------------------------------------------------------------------
> >
> >
> >***********************************************************************************
> >*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
> >sleep! *.*
> >***********************************************************************************
> >I've not slept for the past 5 years and I'm expected to be busy for the
>next
> >57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please
>be
> >concise on your email. Thank you!
> >
> >
> >By tr
> >
> >
> >>From: achievewoo@gmail.com
> >>Reply-To: achievewoo@gmail.com
> >>To: ccielab@groupstudy.com
> >>Subject: Reflective access-list over BGP
> >>Date: Wed, 7 Mar 2007 20:57:33 -0500
> >>
> >>Hi, GS
> >> Here is simply topolog
> >> R1--vlan 1---R2--vlan2--R3
> >> R1 and R3 are BGP peers, but R2 is not.
> >> I tried to do reflective access-list on R2, permit Routing
>Prtocol(BGP)
> >>and ICMP both inbound and outbound. TCP and UDP traffic only be
>permitted
> >>from vlan1 to vlan 2. However, TCP and UDP traffice which original from
> >>vlan 2 are not permit go to vlan 1.
> >> My configuration as follows.
> >>
> >>ip access-list extended INBOUND
> >> permit icmp any any
> >> permit tcp any any eq bgp
> >> permit tcp any eq bgp any
> >> permit tcp any any eq telnet
> >> permit tcp any eq telnet any
> >> evaluate REF
> >>ip access-list extended OUTBOUND
> >> permit icmp any any
> >> permit tcp any any reflect REF
> >> permit udp any any reflect REF
> >>
> >>Here is output
> >>R2#show ip access-list
> >>Extended IP access list INBOUND
> >> 10 permit icmp any any
> >> 20 permit eigrp any any (8829 matches)
> >> 30 permit tcp any any eq bgp
> >> 40 permit tcp any any eq telnet (370 matches)
> >> 50 permit tcp any eq telnet any
> >> 60 evaluate REF
> >>Extended IP access list OUTBOUND
> >> 10 permit icmp any any
> >> 20 permit tcp any any reflect REF (148 matches)
> >> 30 permit udp any any reflect REF
> >>Reflexive IP access list REF
> >> permit tcp host 1.1.1.1 eq bgp host 1.1.5.5 eq 18895 (24 matches)
> >>(time left 283)
> >>
> >>My question is why there is no match at list "30 permit tcp any any eq
> >>bgp"
> >>Should I put another list permit tcp any eq bgp any ?
> >>Any ideas?
> >>
> >>Thanks!
> >>
> >>My question is why there is no match at this list:
> >>
> >>_______________________________________________________________________
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >
> >_________________________________________________________________
> >Don't just search. Find. Check out the new MSN Search!
> >http://search.msn.com/
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>= = = = = = = = = = = = = = = = = = = =
>
>
>!!!!!!!!!!!!!!!!Have a nice day.
>
>
>!!!!!!!!!!!!!!!!ian
>!!!!!!!!!!!!!!!!iyux2000@gmail.com
>!!!!!!!!!!!!!!!!!!!!2007-03-08
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART