Re: Re: RE: Reflective access-list over BGP

From: ian (iyux2000@gmail.com)
Date: Thu Mar 08 2007 - 08:20:47 ART

• Next message: Ivan: "Re: IP cef"
• Previous message: achievewoo: "Re: Re: IP cef"
• Maybe in reply to: Digital Yemeni: "Re: RE: Reflective access-list over BGP"
• Next in thread: Edouard Zorrilla: "Re: Reflective access-list over BGP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Digital Yemeni,How are you#!

        Ok, let assume this way.
1. If R1 initializes the BGP connection, the return traffic will be reflexed without using any specific access-list entry.
2. If R3 initializes the BGP connection, only one access-list is needed, the return traffic will also be allowed by R2.

Therefore, only one access-list is needed on inbound direction of R2.
Any more comments?

======= 2007-03-08 20:07:04 What you've mentioned in your letter#:=======

>I think you're mistaken!
>
>OK! It works this way,
>When BGP is initated from one router, it becomes the client so just look at
>the source port which is randomly assigned and the destination port (tcp
>port 179 in this case) which is the BGP port of the far end router (in this
>case, the server per say!!) So, you would need to flip the scenario also
>because the server may become the client (maybe because of disconnection or
>so) and the client may end up as the server! That's it ;-) easy right?!
>
>
>
>
>Best Regards,
>
>Digital
>------------------------------------------------------------------------------------------------------------------
>
>
>***********************************************************************************
>*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
>sleep! *.*
>***********************************************************************************
>I've not slept for the past 5 years and I'm expected to be busy for the next
>57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please be
>concise on your email. Thank you!
>
>
>
>
>
>>From: "ian" <iyux2000@gmail.com>
>>Reply-To: "ian" <iyux2000@gmail.com>
>>To: "Digital Yemeni" <digital-yemeni@hotmail.com>, "achievewoo"
>><achievewoo@gmail.com>, "ccielab" <ccielab@groupstudy.com>
>>Subject: Re: RE: Reflective access-list over BGP
>>Date: Thu, 8 Mar 2007 17:51:33 +1100
>>
>>Digital Yemeni,How are you#!
>>
>> I personally think that there is no need for "permit tcp any eq bgp
>>any". Because the BGP traffic that going outside would be reflexiable. And
>>the only inbound traffic that BGP needed is "permit tcp any any eq bgp". Am
>>i right?
>>
>>
>>======= 2007-03-08 13:30:56 What you've mentioned in your letter#:=======
>>
>> >By the way,
>> >
>> >ip access-list extended INBOUND
>> >> permit icmp any any
>> >> permit tcp any any eq bgp
>> >> permit tcp any eq bgp any
>> >> permit tcp any any eq telnet
>> >> permit tcp any eq telnet any
>> >> evaluate REF
>> >
>> >R2#show ip access-list
>> >>Extended IP access list INBOUND
>> >> 10 permit icmp any any
>> >> 20 permit eigrp any any (8829 matches)
>> >> 30 permit tcp any any eq bgp
>> >> 40 permit tcp any any eq telnet (370 matches)
>> >> 50 permit tcp any eq telnet any
>> >> 60 evaluate REF
>> >
>> >
>> >The ACL definition and the show command don't taly! I can see the "permit
>> >tcp any any eq bgp" but where is the "permit tcp any eq bgp any" ??!
>> >
>> >Best Regards,
>> >
>> >Digital
>> >------------------------------------------------------------------------------------------------------------------
>> >
>> >
>> >***********************************************************************************
>> >*.* You'll NEVER succeed as a "CCIE" until you LOVE Cisco MORE than your
>> >sleep! *.*
>> >***********************************************************************************
>> >I've not slept for the past 5 years and I'm expected to be busy for the
>>next
>> >57 years + The 5 CCIEs preparation adds on that a bit. Therefore, please
>>be
>> >concise on your email. Thank you!
>> >
>> >
>> >By tr
>> >
>> >
>> >>From: achievewoo@gmail.com
>> >>Reply-To: achievewoo@gmail.com
>> >>To: ccielab@groupstudy.com
>> >>Subject: Reflective access-list over BGP
>> >>Date: Wed, 7 Mar 2007 20:57:33 -0500
>> >>
>> >>Hi, GS
>> >> Here is simply topolog
>> >> R1--vlan 1---R2--vlan2--R3
>> >> R1 and R3 are BGP peers, but R2 is not.
>> >> I tried to do reflective access-list on R2, permit Routing
>>Prtocol(BGP)
>> >>and ICMP both inbound and outbound. TCP and UDP traffic only be
>>permitted
>> >>from vlan1 to vlan 2. However, TCP and UDP traffice which original from
>> >>vlan 2 are not permit go to vlan 1.
>> >> My configuration as follows.
>> >>
>> >>ip access-list extended INBOUND
>> >> permit icmp any any
>> >> permit tcp any any eq bgp
>> >> permit tcp any eq bgp any
>> >> permit tcp any any eq telnet
>> >> permit tcp any eq telnet any
>> >> evaluate REF
>> >>ip access-list extended OUTBOUND
>> >> permit icmp any any
>> >> permit tcp any any reflect REF
>> >> permit udp any any reflect REF
>> >>
>> >>Here is output
>> >>R2#show ip access-list
>> >>Extended IP access list INBOUND
>> >> 10 permit icmp any any
>> >> 20 permit eigrp any any (8829 matches)
>> >> 30 permit tcp any any eq bgp
>> >> 40 permit tcp any any eq telnet (370 matches)
>> >> 50 permit tcp any eq telnet any
>> >> 60 evaluate REF
>> >>Extended IP access list OUTBOUND
>> >> 10 permit icmp any any
>> >> 20 permit tcp any any reflect REF (148 matches)
>> >> 30 permit udp any any reflect REF
>> >>Reflexive IP access list REF
>> >> permit tcp host 1.1.1.1 eq bgp host 1.1.5.5 eq 18895 (24 matches)
>> >>(time left 283)
>> >>
>> >>My question is why there is no match at list "30 permit tcp any any eq
>> >>bgp"
>> >>Should I put another list permit tcp any eq bgp any ?
>> >>Any ideas?
>> >>
>> >>Thanks!
>> >>
>> >>My question is why there is no match at this list:
>> >>
>> >>_______________________________________________________________________
>> >>Subscription information may be found at:
>> >>http://www.groupstudy.com/list/CCIELab.html
>> >
>> >_________________________________________________________________
>> >Don't just search. Find. Check out the new MSN Search!
>> >http://search.msn.com/
>> >
>> >_______________________________________________________________________
>> >Subscription information may be found at:
>> >http://www.groupstudy.com/list/CCIELab.html
>>
>>= = = = = = = = = = = = = = = = = = = =
>>
>>
>>!!!!!!!!!!!!!!!!Have a nice day.
>>
>>
>>!!!!!!!!!!!!!!!!ian
>>!!!!!!!!!!!!!!!!iyux2000@gmail.com
>>!!!!!!!!!!!!!!!!!!!!2007-03-08
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_________________________________________________________________
>FREE pop-up blocking with the new MSN Toolbar - get it now!
>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>

= = = = = = = = = = = = = = = = = = = =
                        

!!!!!!!!!!!!!!!!Have a nice day.
 
                                 
!!!!!!!!!!!!!!!!ian
!!!!!!!!!!!!!!!!iyux2000@gmail.com
!!!!!!!!!!!!!!!!!!!!2007-03-08

• Next message: Ivan: "Re: IP cef"
• Previous message: achievewoo: "Re: Re: IP cef"
• Maybe in reply to: Digital Yemeni: "Re: RE: Reflective access-list over BGP"
• Next in thread: Edouard Zorrilla: "Re: Reflective access-list over BGP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART