11-25-2003 10:27 PM - edited 03-02-2019 11:58 AM
From the output below, you can see that on my two router network, either router can start the BGP session. The thing is, I only want one router (ATM-BB) to be able to start the session, ie open a TCP session to port 179. I dont ever want the other router (TEST2) to start a TCP session with a destination port of 179.
So, the only way I figure I can do this is by putting an inbound ACL on the ATM-BB router and it works fine (Config below)
Question is, is this what you have to do to make this work or is there an equiv of an DLSW Passive command for BGP? and, what is the criteria, for who starts the session first, say, no ACL is applied and you do a clear ip bgp (must be sommat to do with the active timer or sommat)
Many thx indeed,
Ken
Config on ATM-BB Router
-----------------------
!
interface FastEthernet1
ip address 200.201.1.1 255.255.255.0
ip access-group 111 in
!
router bgp 253
neighbor 200.201.1.2 remote-as 5
!
access-list 111 deny tcp any any eq bgp
access-list 111 permit ip any any
Config on TEST2 Router
----------------------
!
interface FastEthernet1
ip address 200.201.1.2 255.255.255.0
!
router bgp 5
neighbor 200.201.1.1 remote-as 253
Results with ACL, Test2 gets "access denied" when tring to start the BGP session and then by the syn-ack received
back on ATM-BB, you know that ATM-BB has sent the SYN and started the session.
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
00:53:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44, access denie d
00:53:26: TCP src=11017, dst=179, seq=2342290847, ack=0, win=16384 SYN
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1 (FastEthernet1), len 44, rcvd 3
00:53:40: TCP src=179, dst=11018, seq=1245489616, ack=2525366980,
win=16384
ACK SYN
00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0
00:53:40: TCP src=179, dst=11018, seq=1245489617, ack=2525367025,
win=16339
ACK PSH
00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:53:40: TCP src=179, dst=11018, seq=1245489662, ack=2525367044,
win=16320
ACK PSH
00:53:40: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:53:40: TCP src=179, dst=11018, seq=1245489681, ack=2525367108,
win=16256
ACK PSH
00:53:40: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0
00:53:40: TCP src=179, dst=11018, seq=1245489700, ack=2525367146,
win=16218
ACK
ATM-BB#
ATM-BB#
ATM-BB#
********Router TEST2 starts the BGP session********************** ATM-BB# ATM-BB#
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 44, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708026, ack=0, win=16384 SYN
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,
win=16384 A
CK
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708027, ack=243242607,
win=16384 A
CK PSH
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708072, ack=243242652,
win=16339 A
CK PSH
00:11:26: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242671,
win=16320 A
CK
00:11:26: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:11:26: TCP src=11005, dst=179, seq=3186708091, ack=243242773,
win=16218 A
CK PSH
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
00:12:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:12:27: TCP src=11005, dst=179, seq=3186708110, ack=243242792,
win=16199 A
CK PSH
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:13:27: TCP src=11005, dst=179, seq=3186708129, ack=243242811,
win=16180 A
CK PSH
00:13:27: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 111, rcvd 0
00:13:27: TCP src=11005, dst=179, seq=3186708148, ack=243242811,
win=16180 A
CK PSH
TEST2#
TEST2#
TEST2#
00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2 (FastEthernet1), len 44, rcvd 3
00:11:23: TCP src=179, dst=11005, seq=243242606, ack=3186708027,
win=16384 A
CK SYN
00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd 0
00:11:23: TCP src=179, dst=11005, seq=243242607, ack=3186708072,
win=16339 A
CK PSH
00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:11:23: TCP src=179, dst=11005, seq=243242652, ack=3186708091,
win=16320 A
CK PSH
00:11:23: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up
00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 142, rcvd 0
00:11:23: TCP src=179, dst=11005, seq=243242671, ack=3186708091,
win=16320 A
CK PSH
00:11:23: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:11:23: TCP src=179, dst=11005, seq=243242773, ack=3186708110,
win=16301 A
CK
TEST2#
TEST2#
TEST2#
00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:12:24: TCP src=179, dst=11005, seq=243242773, ack=3186708110,
win=16301 A
CK PSH
00:12:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:12:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,
win=16282 A
CK
TEST2#
TEST2#
TEST2#
TEST2#
TEST2#
TEST2#
TEST2#
TEST2#
00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:13:24: TCP src=179, dst=11005, seq=243242792, ack=3186708129,
win=16282 A
CK PSH
00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708148,
win=16263 A
CK
00:13:24: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:13:24: TCP src=179, dst=11005, seq=243242811, ack=3186708219,
win=16192 A
CK
----------------------------------------------------------------------------
---------
********Router ATM-BB starts the BGP session********************** TEST2# TEST2# TEST2#
00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 44, rcvd 0
00:15:46: TCP src=11004, dst=179, seq=1036704196, ack=0, win=16384 SYN
00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,
win=16384
ACK
00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 85, rcvd 0
00:15:46: TCP src=11004, dst=179, seq=1036704197, ack=3716649371,
win=16384
ACK PSH
00:15:46: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:15:46: TCP src=11004, dst=179, seq=1036704242, ack=3716649416,
win=16339
ACK PSH
00:15:46: %BGP-5-ADJCHANGE: neighbor 200.201.1.1 Up
00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649435,
win=16320
ACK
00:15:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:15:47: TCP src=11004, dst=179, seq=1036704261, ack=3716649525,
win=16230
ACK PSH
00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 59, rcvd 0
00:16:47: TCP src=11004, dst=179, seq=1036704280, ack=3716649525,
win=16230
ACK PSH
00:16:47: IP: s=200.201.1.1 (FastEthernet1), d=200.201.1.2, len 40, rcvd 0
00:16:47: TCP src=11004, dst=179, seq=1036704299, ack=3716649544,
win=16211
ACK
TEST2#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
ATM-BB#
00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1 (FastEthernet1), len
44, rcvd 3
00:15:49: TCP src=179, dst=11004, seq=3716649370, ack=1036704197,
win=16384
ACK SYN
00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 85, rcvd 0
00:15:49: TCP src=179, dst=11004, seq=3716649371, ack=1036704242,
win=16339
ACK PSH
00:15:49: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:15:49: TCP src=179, dst=11004, seq=3716649416, ack=1036704261,
win=16320
ACK PSH
00:15:49: %BGP-5-ADJCHANGE: neighbor 200.201.1.2 Up
00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 130, rcvd 0
00:15:50: TCP src=179, dst=11004, seq=3716649435, ack=1036704261,
win=16320
ACK PSH
00:15:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 40, rcvd 0
00:15:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704280,
win=16301
ACK
00:16:50: IP: s=200.201.1.2 (FastEthernet1), d=200.201.1.1, len 59, rcvd 0
00:16:50: TCP src=179, dst=11004, seq=3716649525, ack=1036704299,
win=16282
ACK PSH
ATM-BB#
11-26-2003 09:38 PM
This is one way to do it, but there is another way.... If two BGP speakers start their sessions at the same time, and they both see it, they will both see the collision, and use the router ID to determine which session should drop, and which should be used. Looking at draft 22 of the BGP spec:
If a pair of BGP speakers try simultaneously to establish a BGP con-
nection to each other, then two parallel connections between this
pair of speakers might well be formed. If the source IP address used
by one of these connections is the same as the destination IP address
used by the other, and the destination IP address used by the first
connection is the same as the source IP address used by the other, we
refer to this situation as connection collision. Clearly in the
presence of connection collision, one of these connections MUST be
closed.
Based on the value of the BGP Identifier a convention is established
for detecting which BGP connection is to be preserved when a colli-
sion does occur. The convention is to compare the BGP Identifiers of
the peers involved in the collision and to retain only the connection
initiated by the BGP speaker with the higher-valued BGP Identifier.
This is in section 6.8, here:
http://www.ietf.org/internet-drafts/draft-ietf-idr-bgp4-22.txt
So, if you set the router which you always want to be the "active open" with a higher router ID, it should always wind up as the "active open" speaker. That doesn't mean that both won't initiate, but one of the first things in the FSM is to look for the collision, so both opens shouldn't survive very long.
Other than this, the use of an access list, as you've done above, is the only choice, as far as I know.
:-)
Russ.W
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide