[c-nsp] Match BGP in ACL
Raymond, Steven
steven_raymond at eli.net
Thu Jul 29 19:03:05 EDT 2004
> -----Original Message-----
> From: Mark Borchers [mailto:mborchers at igillc.com]
> Sent: Thursday, July 29, 2004 2:36 PM
> To: Raymond, Steven; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Match BGP in ACL
>
>
> Why not neighbor statements with authentication? What am I
> missing here?
The purpose for receive ACL is to protect the route processor from specified
traffic addressed to the router. Rather than put ingress ACLs on all
possible interfaces, rxACL lets you specify what packets are allowed to be
sent up to RP and denied packets are filtered on the linecards.
Our goal is to create a generic rxACL that works on most/all backbone
routers. Rather than "permit all" BGP packets towards the RP, want to
explicitly allow just those source networks which should be sending BGP
packets towards RP. As you know, the absence of a "permit all" results in
"deny all", so we have to allow for BGP & all other necessary router traffic
in the rxACL.
The point of my original query is that you basically need a permit packets
eq destination TCP port 179 statement going both ways, because you will not
know which side will open/initiate the TCP session. It seems that either
side will eventually try to initiate TCP, so I could block only one
direction in my ACL- but that seems like it will cause problems in the
future. Was wondering if there was a smarter way to say "permit bgp in
either direction from these netblocks". The two-way list is going to be
somewhat long (at least 100 lines).
To answer you question, the netblocks permitted in the rxACL are a mixture
of backbone connecteds & customer connecteds. Some customers aren't running
md5 authentication.
Thanks
More information about the cisco-nsp
mailing list