BGP and RIP which uses TCP and UDP can be inspected. But not sure, if OSPF and EIGRP which are directly encapsulated in IP can be inspected using their protocol numbers.
You can configure access-list for ospf/eigrp and associate to the class map for testing it. With regards Kings On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan <[email protected]>wrote: > > Hi, > > What is the best practice for allowing IGP traffic > when self zones are configured in both directions? > > 1. Say you have self-Outside zone and Outside-self zone configured. > > 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class > to both zone-pairs? Or do you "inspect" one of them. I don't think of > IGP peerings as "sessions" in the UDP/TCP sense. > > > !--- > policy-map type inspect XXX-out-self > class IGP > pass > !--- apply to Outside-self zone-pair > !--- > policy-map type inspect XXX-self-out > class IGP > pass > !--- apply to self-Outside zone-pair > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
