Re: access-list

From: Matt Bentley (mattdbentley@gmail.com)
Date: Thu May 15 2008 - 22:12:47 ART

• Next message: Scott Morris: "RE: access-list"
• Previous message: Scott Morris: "RE: access-list"
• Maybe in reply to: ccieking@gmail.com: "access-list"
• Next in thread: Scott Morris: "RE: access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello:

I had trouble with this one for a long time too. Source verses destination
is exactly correct, but to elaborate.....

R1 (TCP Port 179) ---------------------------R2 (TCP Port 179)
The first statement (permit tcp any eq bgp any) would match BGP traffic
going from R1 to R2
The second statement (permit tcp any any eq bgp) would match BGP traffic
going from R2 to R1.

BGP is a little funny in this way - the sender sources traffic from TCP port
179 - but the destination port is random.
This is why whenever you're allowing BGP through an ACL you have to do both
statements, instead of a single one
as in RIP/OSPF/EIGRP (ie permit udp any any eq rip)

HTH

Matt Bentley

On Thu, May 15, 2008 at 9:03 PM, Scott Morris <smorris@ipexpert.com> wrote:

> Source vs. destination
>
>
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#w
> p1013358<http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1013358>
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
> #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> VP - Technical Training - IPexpert, Inc.
> IPexpert Sr. Technical Instructor
>
> smorris@ipexpert.com
>
>
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> http://www.ipexpert.com
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccieking@gmail.com
> Sent: Thursday, May 15, 2008 7:01 PM
> To: ccielab@groupstudy.com
> Subject: access-list
>
> Hi experts
>
> what is the difference between these two access-list
>
> permit tcp any any eq bgp
> permit tcp any eq bgp any
>
> can anyone explain me?
>
> regards
> Richard
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: access-list"
• Previous message: Scott Morris: "RE: access-list"
• Maybe in reply to: ccieking@gmail.com: "access-list"
• Next in thread: Scott Morris: "RE: access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART