Shawn,
What you have written below is correct. For the BGP policy it doesn't really matter. As long as you get one of the sides to be able to initiate the connection, both will attempt to initiate the connection by default. If applied to global policy then either side can initiate. If applied to the interface like done in the lab then only that side will be able to initiate the connection the other will fail to do so. If you wanted one BGP neighbor to not initiate the connection: neighbor x.x.x.x transport connection-mode passive That specifies that the router will not initiate the connection and will wait until the peer attempts to form a connection with it. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Mesiatowsky Sent: Sunday, February 07, 2010 3:33 PM To: [email protected] Subject: [OSL | CCIE_Security] ASA and service policy I am just trying to wrap my head around this little detail. I couldn't find a definitive answer in the docs When applying a policy-map to an interface using the service-policy command, the policy map is subjected to inbound and outbound packets depending on what is configured for a specific class. for inspect or set commands, the traffic is matched for inbound traffic for police commands, the traffic is matched for inbound or outbound, depending on what is configured for shape or priority commands, the traffic is matched outbound is this correct? I started to look at this a little deeper as lab 1.11 asked you to configure tcp parameters for bgp. This was applied to the outside interface, so I am assuming this only takes affect for packets from r4 -> r5. It does look like the connection initiates from r4. I am not to familiar with bgp, so I could not get r5 to initiate the connection. But if it did, then wouldn't bgp peers fail to connect (unless you applied the class to the global policy)? So would you not want to apply the bgp class-map to the global policy instead of the outside interface policy so either r4 or r5 could initiate the connection? just as a side note, I created a blank tcp-map and applied this to class in any policy-map. I applied it to the bgp class without allowing option 19. I could then see that the bgp traffic was matching my class, and I could see that option 19 was in the packets and was being removed. Other then that, I could find no way to verify that any packets were being matched by my class on the firewall.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
