[c-nsp] Cisco Guard and loopback
Andy Furnell
andy.furnell at scansafe.com
Fri Feb 24 08:59:21 EST 2006
I haven't used the Guard since it had a Riverhead badge on the front
(well, actually an IBM badge), but I believe you need to configure the
loopback interface using Linux-esque interface naming (lo:x, rather than
Loopback x)
The CCO configuration guide seems to suggest that this hasn't changed:
http://www.cisco.com/en/US/products/ps5888/products_configuration_guide_
chapter09186a00804c0a6b.html#wp1176839
I also remember that there is a highly restrictive kernel firewall in
place for management traffic.. There's nothing in the docs explaining
how to change this (at the time you had to jump into the Linux part of
the box and make the changes manually, but I would think this has been
taken care of by now), but this might be another thing to check if you
can figure out how to get at it.
Remember that any routers on the same subnet as the Guard will still
need to know about its BGP routes for the redirection to work, so I'd
try to avoid eBGP multihop configurations if at all possible...
Andy
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael
McCormack
Sent: 24 February 2006 13:32
To: Min Qiu; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco Guard and loopback
Actually a typo. I just changed detail for the purpose of the email, but
yes the remote peer on the guard is 100
The config work son a back to back router config but not the cisco guard
for some "currently" unknown reason
Thks
Mik
n
-----Original Message-----
From: Min Qiu [mailto:mqiu at globalinternetworking.com]
Sent: 24 February 2006 13:29
To: Michael McCormack; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco Guard and loopback
Is Cisco Guard neighbor remote as 200 a typo or
miss config?
Min
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Michael McCormack
> Sent: Friday, February 24, 2006 8:19 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco Guard and loopback
>
>
> We are trying to set up eBGP peering between a test router and Cisco
> Guard using loopback addresss and the following simple config
>
> For some reason the peering will not establish to the Guard
> when we try
> to use the loopback address . Anybody got any suggestions ???
>
>
>
>
>
> Router 1
>
> interface Loopback0
>
> ip address 10.10.10.1 255.255.255.255
>
>
>
> interface f0/0
>
> ip address 192.168.1.1 255.255.255.224
>
> no shut
>
> !
>
> router bgp 100
>
> bgp log-neighbor-changes
>
> neighbor 10.10.10.2 remote-as 200
>
> neighbor 10.10.10.2 ebgp-multihop 2
>
> neighbor 10.10.10.2 update-source Loopback0
>
> !
>
> ip classless
>
> ip route 10.10.10.2 255.255.255.255 192.168.1.2
>
>
>
>
>
> Cisco Guard
>
> interface Loopback0
>
> ip address 10.10.10.2 255.255.255.255
>
>
>
> interface f0/0
>
> ip address 192.168.1.2 255.255.255.224
>
> no shut
>
> !
>
> router bgp 200
>
> bgp log-neighbor-changes
>
> neighbor 10.10.10.1 remote-as 200
^^ should this be 100?
>
> neighbor 10.10.10.1 ebgp-multihop 2
>
> neighbor 10.10.10.1 update-source Loopback0
>
> !
>
> ip classless
>
> ip route 10.10.10.1 255.255.255.255 192.168.1.1
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list