[c-nsp] Match BGP in ACL

Rodney Dunn rodunn at cisco.com
Thu Jul 29 18:31:16 EDT 2004


On Thu, Jul 29, 2004 at 04:35:42PM -0500, Mark Borchers wrote:
> Why not neighbor statements with authentication? 

Good idea.

> What am I
> missing here?

He probably wants the distributed protection of the
packets being dropped by the LC's versus getting up
to the CPU in the first place.
I don't recall any discussions about having the LC's
do some form of distributed authentication to drop
the packets there but it is a thought.

> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> > Raymond, Steven
> > Sent: Thursday, July 29, 2004 4:15 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Match BGP in ACL
> > 
> > 
> > Is there a more clever way to match on BGP traffic in an ACL 
> > besides the
> > following:
> > 
> > access-list 100 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255 eq 179
> > access-list 100 permit tcp y.y.y.y 0.0.0.255 x.x.x.x 0.0.0.255 eq 179

Nope.  You have to match on the port for BGP which you have.

Make the ACL's as specific as possible.

Shouldn't your ACL be:

access-list 100 permit tcp x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255 eq 179
access-list 100 permit tcp x.x.x.x 0.0.0.255 eq 179 y.y.y.y 0.0.0.255 

The src/dst order of the packets inbound will never change.  It's just
the src/dst port for BGP of the packet can change if it's in the
context of a receive ACL.

Rodney



> > 
> > In the context of builing an ip receive ACL, want to specify 
> > what network
> > source & dest addresses can speak BGP to this router.  Have 
> > discovered that
> > either BGP speaker can initiate the connection, so if I 
> > eliminate one of the
> > two lines above, then only one side can possibly open the tcp 
> > connection.
> > 
> > Noticed that one can do "access-list 100 permit ospf" and 
> > thought great,
> > just s/ospf/bgp/ but it is not not option, presumably because 
> > BGP rides over
> > TCP.
> > 
> > Thanks
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list