Re: BGP ACL from Adam Booth on 2010-11-09 (Ccielab archives 11/2010)

From: Adam Booth <adam.booth_at_gmail.com>
Date: Wed, 10 Nov 2010 08:42:48 +1000

My understanding is that within the BGP peering relationship - initially the
neighbor with the highest IP address will initially attempt to connect to
the neighbor with the lowest IP address - the destination port is TCP 179
but the source port is TCP 1024+

Given enough time without a BGP session established (around 5 minutes or
so), the peer neighbor with the lowest IP address will eventually attempt to
start the BGP conversation.

It is enough to have a single line in the acl for BGP - however having the
ACL support both directions ensures a relatively fast BGP session setup
without having to specifically think about which side has the higher or
lower IP.

Cheers,
Adam

On Wed, Nov 10, 2010 at 5:08 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Matt,
>
> One side is server and one side is client.
>
> The statement should read:
>
>
> permit tcp host 192.168.67.7 eq bgp host 192.168.67.6*
>
> permit tcp host 192.168.67.7 host 192.168.67.6 eq bgp*
>
> That would cover the local router acting as server or client.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Matt Sherman
> Sent: Tuesday, November 09, 2010 2:01 PM
> To: Cisco certification
> Subject: BGP ACL
>
> Hello,
>
> If I need to permit inbound BGP peering from R7 with an ACL on R6, the
> syntax i always see is what's pasted below. The first permit statement
> seems to do the trick just fine and the second doesn't make sense to me as
> R6 wouldn't see BGP messages sourced from itself (192.168.67.6). Can
> anyone explain the purpose of the second statement? Thanks
>
> AS 6 AS 7
> (R6) S1/0 ---- 192.168.67.0 ---- S1/0 (R7)
>
>
>
> *R6*
>
> *ip access-list extended BGP*
>
> * **permit tcp host 192.168.67.7 eq bgp host 192.168.67.6*
>
> * permit tcp host 192.168.67.6 host 192.168.67.7 eq bgp*
>
> *!*
>
> *int s1/0*
>
> *** ip access-group BGP in*
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 10 2010 - 08:42:48 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:55 ART