Border router access list

George-Sl · ‎04-06-2016

Hi I can't interpret these two commands, these are the commands for securing the border router ...

R1(config-ext-nacl)# permit tcp host 5.5.5.5 gt 1023 host 1.2.3.4 eq bgp
R1(config-ext-nacl)# permit tcp host 5.5.5.5 eq bgp host 1.2.3.4 gt 1023 <-------------------why do we need this one??

and this access list is going to be applied inward my router link which is connected to ISP.

1) I guess the ports above 1023 are unknown ports(protocols), so there are no restriction for them? right?

2) why can't we use one access list instead of two commands?

R1(config-ext-nacl)# permit tcp host < external-bgp-peer > eq bgp host < internal-bgp-peer > eq bgp
I believe this command is wrong because we can use any port from the other side(from the isp) to connect to bgp on the interface of our router, right?

thx

Vasilii Mikhailovskii · ‎04-06-2016

Hello.

You can't use permit tcp host < external-bgp-peer > eq bgp host < internal-bgp-peer > eq bgp, as TCP session will never be established between ports 179 on both sides.

Whichever side initiated connection - it would choose available port above 1023.

That is why you need 2 lines:

permit tcp host 5.5.5.5 gt 1023 host 1.2.3.4 eq bgp - permits sessions initiated from 5.5.5.5

permit tcp host 5.5.5.5 eq bgp host 1.2.3.4 gt 1023 - permits sessions initiated from 1.2.3.4

You may use single line (or these two with potential effects, but what for? If it's eBGP - secure the session with ttl-security and protect control-plane.