From: Joseph Brunner (joe@affirmedsystems.com)
Date: Wed Oct 10 2007 - 08:58:57 ART
No I just wanted to see the effect of forcing all local generated routing
protocols to be reflected.
I was sharing the fact rip just worked once it was forced to be reflected
(by the local policy routing) even WITHOUT a permit back in line before the
"EVALUATE".
BGP is too smart for that, LOL. It needed one more tweak, ebgp-multihop, to
jump off the loopback and out to BB1.
Something to keep in mind...
I'm doing it with CBAC too.
-Joe
-----Original Message-----
From: Patrick Galligan [mailto:pgalligan@gmail.com]
Sent: Wednesday, October 10, 2007 7:29 AM
To: Joseph Brunner
Cc: Cisco certification
Subject: Re: Routing protocols with Reflexive Acls
On 10/10/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
>
> -I wanted to start a discussion regarding handling routing protocols when
> using reflexive acl's and CBAC
>
I would think CBAC would be a lot simpler. Through any stateful
firewall you just inspect outbound tcp traffic (all or specific,
depending on your security policy) and don't need to specifically
allow inbound from the 'outside' BGP peer. The session can only be
established by the 'inside' BGP router but it hasn't been an issue on
any that I've configured.
"Task 7.2 Configure a traffic inspection policy on R6's G0/1 interface that
only permits return traffic that was originated within the network
Any routing protocols previously configured must work after this
policy is applied
If access-lists are used do not explicitly permit any routing protocol"
Was there any restriction on allowing all TCP? Would have been simpler
than the method you used?
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:13 ART