[c-nsp] Nexus Architecture question

Saku Ytti saku at ytti.fi
Sat Jun 5 04:41:21 EDT 2021


On Thu, 3 Jun 2021 at 22:46, Drew Weaver <drew.weaver at thenap.com> wrote:

> IP access list custom-copp-system-p-acl-bgp-allow
>         3 permit tcp 192.168.1.2/32 gt 1023 any eq bgp
>         4 permit tcp 192.168.1.2/32 eq bgp any gt 1023
>
> IP access list custom-copp-system-p-acl-bgp-deny
>         1 permit tcp any any eq bgp
>         10 permit tcp any gt 1023 any eq bgp
>         20 permit tcp any eq bgp any gt 1023

 a) there is no reason to limit far-end ephemeral range (added cost,
complexity and it might break some broken implementation causing work
on your end, while you don't actually care if your customer uses
broken implementation).

 b) there is good reason to limit near-end ephemeral range to actual
ephemeral range, as there can be local ports listening at >1024

XR appears to use an ephemeral range of 15000-57343, unfortunately as
far as i can see it is not documented therefore not guaranteed across
upgrades :(

-- 
  ++ytti


More information about the cisco-nsp mailing list