From: Joseph Brunner (joe@affirmedsystems.com)
Date: Mon Sep 24 2007 - 18:48:22 ART
The traffic is now moved one hop away from the outgoing interface, so it's
the same as ip local policy when we set up router generated traffic to get
reflected in an reflexive acl, so it can be allowed back in.
Therefore the router generated traffic rule does not apply!
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Saad
Sent: Monday, September 24, 2007 5:33 PM
To: Cisco certification
Subject: Security: access-list inbound with BGP sourced from Loopback
I have trouble understanding the following regarding access-list behavior.
I have eBGP Neighbors connected via their respective Lo0
R4 --- R5
on R4, I have the following access-list
permit tcp host 150.1.4.4 host 150.1.5.5 eq bgp log-input (4 matches)
permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 log-input (84 matches)
R4
router bgp 1
no synchronization
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
R5
router bgp 2
no synchronization
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
no auto-summary
The list is applied on the interface between R4 and R5 inbound.
My question is: Why Traffic that's generated by R4 itself sourced from Lo0
is hitting the inbound access-list before it reaches R5?
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART