Solved

eBGP policy and ACL in interface

Posted on 2016-11-18
7
68 Views
Last Modified: 2016-11-21
Hi Anyone can answer the question? Two routers (RouterA and B) have eBGP connection. RouterA sends the routes 10.0.0.0 and 20.0.0.0 to routerB. The routerB’ interface allow 10.0.0.0 in and routerB’ eBGP allow 20.0.0.0 in. My question is which route can come into the routerB? Thank you
0
Comment
Question by:eemoon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 30

Assisted Solution

by:Predrag
Predrag earned 500 total points
ID: 41894114
Since ACLs in your case are assigned to interface and traffic from other router is permitted - All routes that are advertised from other eBGP peer will be accepted. Filtering routes is performed by distribution lists in BGP configuration. Distribution lists filter routes according to ACL list and direction in which filtering is applied.
0
 

Author Comment

by:eemoon
ID: 41894959
Hi Predrag Jovic, Thank you so much for your fast reply.
If the ACL is used in interface or in route-map(and then used in bgp), i think the former is only filter traffic/data and do not filter routes. The later can directly filter routes. Do you think i am right?
0
 
LVL 30

Accepted Solution

by:
Predrag earned 500 total points
ID: 41895019
Not sure that I can understand properly last post, so here comes example. :)
This one will filter traffic, but not routes:
access-list 100 permit ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.255.255
!
interface gi0/1
 ip access-group 100 in

Open in new window

This one will filter routes (there are also other ways to achieve the same (link below)):
router bgp 1567
 neighbor x.x.x.x remote-as 2065
 neighbor x.x.x.x distribute-list 101 in
!
access-list 101 permit ip x.x.x.0 0.0.0.255 255.255.255.0 0.0.0.255

Open in new window

This access-list permits routes that are subnets of x.x.x.0/24. (permits x.x.x.0/24, x.x.x.0/25, x.x.x.128/25, x.x.x.0/26, x.x.x.64/26  ..... etc...)

For more details please read Cisco article - Block One or More Networks From a BGP Peer
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:eemoon
ID: 41895153
We agree on the issue. so I can summarize it like this: All ACL only impact on traffic directly and do not impact routes if the ACL is associated with interface. And all the ACL only impact on routes and do not impact traffic directly if the ACL is associated with routing protocol and not associated with interface, right?
0
 
LVL 30

Assisted Solution

by:Predrag
Predrag earned 500 total points
ID: 41895355
Sounds good. The way it is written I would remove word "all" from both sentences, but than again, I am not native speaker.
0
 

Author Closing Comment

by:eemoon
ID: 41895936
Thank you!
0
 
LVL 30

Expert Comment

by:Predrag
ID: 41895953
You're welcome.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question