>"Deloso, Elmer G." <[EMAIL PROTECTED]> wrote,
>Hi, group.
>I need some help on filtering BGP4. The scenario is this: my routerA is set up
>with a T1 to routerB via static classB address. However, RouterB is
>also connected to other clouds running BGP4. I do want users in
>RouterB cloud to get to my network, but I don't want the other
>clouds that connect to RouterB to get into my network. The simple
>questions are: is it just a matter of RouterA
>
>using ACL to allow only RouterB? Is it telling the NetAdmin of
>RouterB to modify his route-redistribution config so no routes
>outside of RouterB's cloud
>
>gets sent to my RouterA?
I'm confused by this. If the routes in router B's cloud are not sent
to your router, how can your users access them? Is the problem that
you don't want router B to advertise YOUR routes?
The problem there: let's say router B has 192.0.2.0/24. One of your
users at 192.0.2.33 contacts CCO.CISCO.COM. If your address space
isn't advertised to the outside world, and you don't have NAT, how is
CISCO going to know where to send the response message?
You may be mixing the functions of BGP and of traffic filters.
Perhaps you want to use TCP established, and block UDP, from router B
to router A.
>Are there any other issues or configurations I'm better off
>implementing? Thanks as always to all kind responses.
>
>Elmer
First, this is a good example of where you need to be thinking of BGP
policies, rather than strict configuration. Second, the answer will
depend on whether you run BGP between routers A and B, possibly with
a private AS number at the router A end.
I'm going to assume that there are two AS involved, AS-A and AS-B.
I'm also assuming the two address spaces are independent. By running
your own BGP, you are in control of what and how AS B will advertise
your routes.
The routing policies involved are:
advertise: to AS-B your-address marked with NO-EXPORT community
accept: ALL from AS-B
NO-EXPORT is a well-known BGP community that says to the receiving
AS, "use this throughout your own AS, but don't tell anyone else
about it."
If you run BGP to AS-B and don't have your own AS number, use a
private AS and the remove-private-AS command on router B.
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
