[c-nsp] Match BGP in ACL

Gert Doering gert at greenie.muc.de
Fri Jul 30 03:09:07 EDT 2004


Hi,

On Thu, Jul 29, 2004 at 08:13:06PM -0700, Raymond, Steven wrote:
> Agreed, rxacl only examines ingress packets.  However if I want to match &
> permit all BGP packets, then I must (I think, that's the whole question of
> this thread, how to identify bgp packets in an acl) look at destination
> port=179 in both directions.  In other words, its unknown whether my router
> or other router could have initiated the BGP session, so I don't know
> whether ingress packets or egress packets will have tcp dest port 179, and
> all source ports will be high.  So I conclude that we must have an acl line
> identifying BGP by matching tcp destination port 179 with for both
> combinations of source addresses (this router or the remote routers).

The other way round.  Source address will *always* be the other end
(otherwise the packet is not ingress), but the two cases are reflected
in the source / destination ports:

 permit tcp host x.x.x.y any eq 179
 permit tcp host x.x.x.y eq 179 any 

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list