On Thu, 3 Jun 2021 at 22:46, Drew Weaver <drew.wea...@thenap.com> wrote:
> IP access list custom-copp-system-p-acl-bgp-allow > 3 permit tcp 192.168.1.2/32 gt 1023 any eq bgp > 4 permit tcp 192.168.1.2/32 eq bgp any gt 1023 > > IP access list custom-copp-system-p-acl-bgp-deny > 1 permit tcp any any eq bgp > 10 permit tcp any gt 1023 any eq bgp > 20 permit tcp any eq bgp any gt 1023 a) there is no reason to limit far-end ephemeral range (added cost, complexity and it might break some broken implementation causing work on your end, while you don't actually care if your customer uses broken implementation). b) there is good reason to limit near-end ephemeral range to actual ephemeral range, as there can be local ports listening at >1024 XR appears to use an ephemeral range of 15000-57343, unfortunately as far as i can see it is not documented therefore not guaranteed across upgrades :( -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
