06-19-2009 07:27 AM - edited 03-04-2019 05:11 AM
Hi,
I have a issue for block the port 25 to all network from Yahoo. I knew all the ASN:
I have two routers 7204vxr with three peers bgp and I want put a only filter.
How can I configurate this filter?
Thank You,
Best Regards
06-19-2009 11:13 AM
Hello Luis,
if I understood you correctly you would like to filter SMTP traffic (TCP 25) if the destination or source address is in a IP network that is originated in some specific BGP AS numbers.
As far as I know you cannot do this.
However you can use the BGP ASN numbers knowledge top find all ip prefixes that have last ASnumber = AS X
you can use the following regular expression
sh ip bgp regexp ASX$
find out all ip prefixes
then you can build an ip extended access-list with the necessary entries like
access-list 111 deny tcp any ip-addr wild-card eq 25
or
access-list 111 deny tcp ip-addr wild-card any eq 25
one or more lines are needed a last
permit ip any any that can be needed or some more specific permit statements (or all traffic will be denied).
the acl can be applied outbound or inbound on a border router interface.
Actually you can use a route-map to manipulate route attributes like the BGP next hop so that you could trigger black holing but you cannot combine this with specific TCP ports on live user traffic.
Hope to help
Giuseppe
06-20-2009 01:22 AM
Hello Giuseppe,
Thank you by reply.
I tried it and "set interface" isn't allow in bgp sessions. I am searching any solution that block a port from ASN, because I not want going IP range in IP range.
Thank you,
Best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide