From the output below, you can see that on my two router network, either router can start the BGP session. The thing is, I only want one router (ATM-BB) to be able to start the session, ie open a TCP session to port 179. I dont ever want the other router (TEST2) to start a TCP session with a destination port of 179.
So, the only way I figure I can do this is by putting an inbound ACL on the ATM-BB router and it works fine (Config below)
Question is, is this what you have to do to make this work or is there an equiv of an DLSW Passive command for BGP? and, what is the criteria, for who starts the session first, say, no ACL is applied and you do a clear ip bgp (must be sommat to do with the active timer or sommat)
Many thx indeed,
Config on ATM-BB Router
ip address 126.96.36.199 255.255.255.0
ip access-group 111 in
router bgp 253
neighbor 188.8.131.52 remote-as 5
access-list 111 deny tcp any any eq bgp
access-list 111 permit ip any any
Config on TEST2 Router
ip address 184.108.40.206 255.255.255.0
router bgp 5
neighbor 220.127.116.11 remote-as 253
Results with ACL, Test2 gets "access denied" when tring to start the BGP session and then by the syn-ack received
back on ATM-BB, you know that ATM-BB has sent the SYN and started the session.
00:53:26: IP: s=18.104.22.168 (FastEthernet1), d=22.214.171.124, len 44, access denie d
00:53:26: TCP src=11017, dst=179, seq=2342290847, ack=0, win=16384 SYN
00:53:40: IP: s=126.96.36.199 (FastEthernet1), d=188.8.131.52 (FastEthernet1), len 44, rcvd 3
This is one way to do it, but there is another way.... If two BGP speakers start their sessions at the same time, and they both see it, they will both see the collision, and use the router ID to determine which session should drop, and which should be used. Looking at draft 22 of the BGP spec:
If a pair of BGP speakers try simultaneously to establish a BGP con-
nection to each other, then two parallel connections between this
pair of speakers might well be formed. If the source IP address used
by one of these connections is the same as the destination IP address
used by the other, and the destination IP address used by the first
connection is the same as the source IP address used by the other, we
refer to this situation as connection collision. Clearly in the
presence of connection collision, one of these connections MUST be
Based on the value of the BGP Identifier a convention is established
for detecting which BGP connection is to be preserved when a colli-
sion does occur. The convention is to compare the BGP Identifiers of
the peers involved in the collision and to retain only the connection
initiated by the BGP speaker with the higher-valued BGP Identifier.
So, if you set the router which you always want to be the "active open" with a higher router ID, it should always wind up as the "active open" speaker. That doesn't mean that both won't initiate, but one of the first things in the FSM is to look for the collision, so both opens shouldn't survive very long.
Other than this, the use of an access list, as you've done above, is the only choice, as far as I know.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...