Re: Land and Cisco question

[John Bashinski <jbash () cisco com>]

-----BEGIN PGP SIGNED MESSAGE-----

> Does BGP use TCP or UDP?

TCP.

> If TCP then we are in trouble.

I don't think so.

> Almost everyone
> has access to the Internet via BGP.  The line IP address is usually made up
> of a pair of addresses in the same subnet.  You can IP spoof block all your
> internal IP addresses but if you block the IP address of your BGP connection
> to your BGP peer and BGP uses TCP, then the examples jbash gave out will
> stop BGP updates as well.  

This was my example:

    interface ethernet 0
    ip address 1.2.3.4 255.255.255.0
    ip access-group 101 in
    !
    interface ethernet 1
    ip address 5.6.7.8
    ip access-group 101 in
    !
    access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0
    access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0
    access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

That only blocks the router talking to itself, not talking to any other
host, whether on the same subnet or not. As far as I know, you don't have
to have a TCP connection to yourself to run BGP, just to your neighbors.

                                                -- John B.

-----BEGIN PGP SIGNATURE-----
Version: None of your beeswax

iQCVAwUBNHcrO3emvD4nAHb9AQHpsAP+OV+xm3uQ+N1Xoc6auDyKfM/j0L9JPqvL
n1pKNh73jqZz8vMzMWOkm8wcnGkW9u+JFQ0tSlkEtpkWrAG96f0kmSpXyfC6BRYo
RvpkXL4hHT0A+1HSbVNmOjGjfThdEyWOdhcE9jJc35PxzErzarsyFTPnjK6Fl5Rl
8wVsoHAPNYU=
=cAK5
-----END PGP SIGNATURE-----