sundar.palaniappan Thu, 05/31/2007 - 13:37
User Badges:
  • Green, 3000 points or more

I hope I understood your question correct. BGP doesn't support passive interface command as it doesn't use broadcast/multicast packets to form neighbor relationship and send routing updates. It uses unicast packets to peer with neighbor device(s) and send routing updates.


If you are trying to only receive routing updates but not advertise anything you still need to have a neighbor relationship but you can use prefix or distribute lists to block updates from being sent. We can provide an appropriate solution if you can just describe your topology and post the configuration of the device(s).


HTH


Sundar

devang_etcom Thu, 05/31/2007 - 13:44
User Badges:
  • Gold, 750 points or more

no BGP does not have Passive interface...

but you can filter the BGP update using filter list, ASpath access-list, distribute list etc...


regards

Devang

ksnarayan43 Thu, 05/31/2007 - 14:24
User Badges:

thank you.


basically don't care much on what kind of updates it gives... i just want to force the OTHER device to initiate the connection, ie: send the SYN.

I want bgp to LISTEN for a neighbor , not try and connect to one itself.


thanks

sundar.palaniappan Thu, 05/31/2007 - 14:49
User Badges:
  • Green, 3000 points or more

I hope you got the point. You still need the neighbor between the devices to receive advertisements. But, if you don't want to advertise anything then do not redistribute anything into BGP or use network statements. If you are multihoming and already have BGP routes in the routing table then use filters suggested above to make sure you aren't advertising any routes.


HTH


Sundar

ksnarayan43 Thu, 05/31/2007 - 15:09
User Badges:

Thank you Sundar.


I was just looking from a TCP level. Where router just recieve the "SYN"


Just trying to troubleshoot from TCP level , trying understand any error codes.

ksnarayan43 Thu, 05/31/2007 - 15:20
User Badges:

thank you Sundar.


Can you repost the URL, it does not seem to work


thank you

sundar.palaniappan Thu, 05/31/2007 - 15:28
User Badges:
  • Green, 3000 points or more

Krishnan,


Harold posted the link but I don't think that command is meant for what you are trying to achieve. Anyway, here's the link for that command.


http://www.cisco.com/en/US/products/ps6566/products_command_reference_chapter09186a008079e0f6.html


If you want to receive BGP SYN packets but not send any BGP packets out then you can apply an ACL similar to this one on the interface through which the neighbor is connected.


access-list 100 deny tcp any any eq bgp


HTH


Sundar

Harold Ritter Thu, 05/31/2007 - 15:32
User Badges:
  • Cisco Employee,

Sundar,


This command is meant exactly for what Krishnan wanted to accomplish, meaning to prevent the local router from actively open the TCP session on port 179.


Hope this helps,

sundar.palaniappan Thu, 05/31/2007 - 15:38
User Badges:
  • Green, 3000 points or more

Harold,


But then based on the description of this command it appears if the device receives TCP SYN packets from the peer then it would respond with ACK packets in passive mode. Unless I misunderstood Krishnan he doesn't want any BGP packets to be sent by this device and wants to only continue receiving SYN packets from the peer for troubleshooting purposes.


HTH


Sundar

Harold Ritter Thu, 05/31/2007 - 15:43
User Badges:
  • Cisco Employee,

Sundar,


I was just responding based on the following question from Krishnan:


"basically don't care much on what kind of updates it gives... i just want to force the OTHER device to initiate the connection, ie: send the SYN.


I want bgp to LISTEN for a neighbor , not try and connect to one itself."



Regards,


ksnarayan43 Thu, 05/31/2007 - 15:47
User Badges:

Thank you Hritter.


I was just looking at receiving SYN packets from the peer for troubleshooting purposes.


appreciate the responses.

sundar.palaniappan Thu, 05/31/2007 - 15:48
User Badges:
  • Green, 3000 points or more

Got it.


My response was based on this subsequent posting by Krishnan.



"I was just looking from a TCP level. Where router just recieve the "SYN"


Just trying to troubleshoot from TCP level , trying understand any error code"


Anyway, he should be able to use one of two suggestions depending on what he needs.


Regards,

Sundar

Harold Ritter Thu, 05/31/2007 - 18:15
User Badges:
  • Cisco Employee,

Sundar,


Just one precision. This ACL applied outbount does not prevent the router to send the SYN message because traffic sourced by the router is not filtered by the outbound ACL.


One could always apply the same ACL inbound on the facing router, which would cause the router to reject the SYN message but bear in mind that the SYN would still be issued.


Hope this helps,


Actions

This Discussion