Re: Reflective access-list over BGP

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sun Mar 25 2007 - 11:20:00 ART

• Next message: Serdar Kut: "Re: About CAR and time-range"
• Previous message: Kian Wah Lai: "Re: 1st attempt CCIE R/S - Got my number !"
• Maybe in reply to: achievewoo@gmail.com: "Reflective access-list over BGP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sir,

It is going thru eveluate REFF, I would see it if you use: permit tcp any eq
bgp any ,

Regards

----- Original Message -----
From: <achievewoo@gmail.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, March 07, 2007 8:57 PM
Subject: Reflective access-list over BGP

> Hi, GS
> Here is simply topolog
> R1--vlan 1---R2--vlan2--R3
> R1 and R3 are BGP peers, but R2 is not.
> I tried to do reflective access-list on R2, permit Routing Prtocol(BGP)
> and ICMP both inbound and outbound. TCP and UDP traffic only be permitted
> from vlan1 to vlan 2. However, TCP and UDP traffice which original from
> vlan 2 are not permit go to vlan 1.
> My configuration as follows.
>
> ip access-list extended INBOUND
> permit icmp any any
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit tcp any any eq telnet
> permit tcp any eq telnet any
> evaluate REF
> ip access-list extended OUTBOUND
> permit icmp any any
> permit tcp any any reflect REF
> permit udp any any reflect REF
>
> Here is output
> R2#show ip access-list
> Extended IP access list INBOUND
> 10 permit icmp any any
> 20 permit eigrp any any (8829 matches)
> 30 permit tcp any any eq bgp
> 40 permit tcp any any eq telnet (370 matches)
> 50 permit tcp any eq telnet any
> 60 evaluate REF
> Extended IP access list OUTBOUND
> 10 permit icmp any any
> 20 permit tcp any any reflect REF (148 matches)
> 30 permit udp any any reflect REF
> Reflexive IP access list REF
> permit tcp host 1.1.1.1 eq bgp host 1.1.5.5 eq 18895 (24 matches)
> (time left 283)
>
> My question is why there is no match at list "30 permit tcp any any eq
> bgp"
> Should I put another list permit tcp any eq bgp any ?
> Any ideas?
>
> Thanks!
>
> My question is why there is no match at this list:
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Serdar Kut: "Re: About CAR and time-range"
• Previous message: Kian Wah Lai: "Re: 1st attempt CCIE R/S - Got my number !"
• Maybe in reply to: achievewoo@gmail.com: "Reflective access-list over BGP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART