Filter port by ASN

server-online · ‎06-19-2009

Hi,

I have a issue for block the port 25 to all network from Yahoo. I knew all the ASN:

I have two routers 7204vxr with three peers bgp and I want put a only filter.

How can I configurate this filter?

Thank You,

Best Regards

Giuseppe Larosa · ‎06-19-2009

Hello Luis,

if I understood you correctly you would like to filter SMTP traffic (TCP 25) if the destination or source address is in a IP network that is originated in some specific BGP AS numbers.

As far as I know you cannot do this.

However you can use the BGP ASN numbers knowledge top find all ip prefixes that have last ASnumber = AS X

you can use the following regular expression

sh ip bgp regexp ASX$

find out all ip prefixes

then you can build an ip extended access-list with the necessary entries like

access-list 111 deny tcp any ip-addr wild-card eq 25

or

access-list 111 deny tcp ip-addr wild-card any eq 25

one or more lines are needed a last

permit ip any any that can be needed or some more specific permit statements (or all traffic will be denied).

the acl can be applied outbound or inbound on a border router interface.

Actually you can use a route-map to manipulate route attributes like the BGP next hop so that you could trigger black holing but you cannot combine this with specific TCP ports on live user traffic.

Hope to help

Giuseppe

server-online · ‎06-20-2009

Hello Giuseppe,

Thank you by reply.

I tried it and "set interface" isn't allow in bgp sessions. I am searching any solution that block a port from ASN, because I not want going IP range in IP range.

Thank you,

Best regards