[c-nsp] Match BGP in ACL
Gert Doering
gert at greenie.muc.de
Fri Jul 30 03:09:07 EDT 2004
Hi,
On Thu, Jul 29, 2004 at 08:13:06PM -0700, Raymond, Steven wrote:
> Agreed, rxacl only examines ingress packets. However if I want to match &
> permit all BGP packets, then I must (I think, that's the whole question of
> this thread, how to identify bgp packets in an acl) look at destination
> port=179 in both directions. In other words, its unknown whether my router
> or other router could have initiated the BGP session, so I don't know
> whether ingress packets or egress packets will have tcp dest port 179, and
> all source ports will be high. So I conclude that we must have an acl line
> identifying BGP by matching tcp destination port 179 with for both
> combinations of source addresses (this router or the remote routers).
The other way round. Source address will *always* be the other end
(otherwise the packet is not ingress), but the two cases are reflected
in the source / destination ports:
permit tcp host x.x.x.y any eq 179
permit tcp host x.x.x.y eq 179 any
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list