BGP with access lists

Hello,
Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part  access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
Thanks,

The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
Daniel Dib
CCIE #37149
Please rate helpful posts.

Similar Messages

  • Need to understand the nat with access-list

    Please let me know what it means as it is configured on our ASA
    global (mtaas) 5 10.224.128.4
    nat (outside) 5 access-list EXIDE-MTAAS-PAT
    access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.250
    access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.250
    access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.244
    access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.244

    Hi,
    The configuration you mention in your post does the following:
    Its a Policy PAT for traffic entering from networks behind "outside" to networks behind "mtaas"
    Traffic that matches the access-list will get PAT translated (Port Address Translation) to the IP address of 10.224.128.4
    The access-list tells what traffic needs to be translatedIn this case ANY IP traffic coming from source networks 10.0.0.0/8 and 1.1.1.4/32 will get translated WHEN they try to connect to the hosts 10.224.128.250 and 10.224.128.244
    This Policy PAT configuration looks like a configuration for some VPN connection you have on the firewall. Its made so that the connections taken from the VPN connection get PATed to an IP address thats part of the destination network.
    - Jouni

  • Problem with access list in interface for Switch CORE

    Hi,
    End user wants to mirror its windows or Mac computer with airparrot. the TV is connect by wireless network  and the user is connected in the guest
    network (also wireless). I have a problem when I associate an ACL to inteface VLAN X in switch core, eventhough there is connectivity between the windows or Mac computer to the TV  ( I allow in the ACL traffic for some specific devices to guest network), in airparrot is not shown the device so he can't mirrow his pc or Mac.
    Does any of you know if for this kind of application will required some especial config for ACLs?
    regards

    Rik,
    I am not a huge fan of this solution but here ya go:
    remove the with statements and replace table and column references according to your tables
    LOV definition:
    with fruit_lov_data as(
    select 'Apple' fruit from dual union
    select 'Mango' from dual union
    select 'Pineapple' from dual union
    select 'Apple, Mango, and Pineapple' from dual union
    select 'Pineapple, Grapes' from dual union
    select 'Grapes, Mango' from dual
    select fruit d, replace(translate(fruit,', ',':'),':and',':') r
      from fruit_lov_dataReport definition:
    with fruits as(
      select 'Apple' fruit from dual union all
      select 'Grapes' fruit from dual union all
      select 'Mango'        from dual union all
      select 'Pineapple'    from dual
    select *
      from fruits
    where (instr(':' || :P15_SELECT_LIST || ':', ':' || fruit || ':') > 0
        or :P15_SELECT_LIST is null)there are potentially many flaws using the above code. One of which is a potential bug if there ever is a fruit that begins with 'and'. It is also dependant that 'and' is always in lowercase. of course you could upper both bind variable and column in your report.
    Cheers,
    Tyson Jouglet
    Edited by: Tyson Jouglet on Jan 20, 2011 9:46 AM
    Edited by: Tyson Jouglet on Jan 20, 2011 9:53 AM

  • Cisco 12.1 Access-list

    We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
    Thanks

    Eric
    We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
    The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
    assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
    create 2 access lists and assign one to each interface.
    access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 permit ip any any
    access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 120 permit ip any any
    interface faste0/0
    ip access-group 120 in
    interface faste1/0
    ip access-group 110 in
    adjust addresses etc to fit your situation. Try it and let us know if it works.
    HTH
    Rick

  • I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

    I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

    Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • I upgraded to Mountain Lion (MacbookPro). Now when I open ical I get a popup window with a list I had added to Reminders app with the message 'Your calendar couldn't be refreshed' it won't go away-'delete' is greyed out-can't access calendar! Help!

    I upgraded to Mountain Lion (MacbookPro). Now when I open ical I get a popup window with a list I had added to Reminders app with the message 'Your calendar couldn't be refreshed' i--t won't go away-'delete' is greyed out--can't access calendar! Help!

    I upgraded to Mountain Lion (MacbookPro). Now when I open ical I get a popup window with a list I had added to Reminders app with the message 'Your calendar couldn't be refreshed' i--t won't go away-'delete' is greyed out--can't access calendar! Help!

  • How to make report with access 2010 from SharePoint Discussion lists 2013

    HI,
    I want to make an access report from SharePoint Discussion lists 2013. When i open the list with access, the body of the list is in HTML format in access. Also if i reply something to one subject in the discussion, the reply is not mapped to that subject
    but instead it is shown as a separate entry in the database.
    Anyone can please help?
    SAN
    Santhiya
    Santhiya

    Hi Santhiya,
    I have seen a similar post from you, my understanding is that you wonder that the reply is mapped to the related subject. You can take a look at Daniel's reply in the following thread:
    http://social.technet.microsoft.com/Forums/en-US/dfb5bcb9-0076-412a-b34f-46aa9cfba876/how-to-make-report-with-access-2010-from-sharepoint-discussion-lists-2013?forum=sharepointgeneral
    Thanks,
    Wendy
    Wendy Li
    TechNet Community Support

  • Extended access list with multiple ports

    Hello All,
    I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
    I receive the following message:
    The informations of my Switch are the following:
    Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
    12.2(52)SG, RELEASE SOFTWARE (fc1)
    Please help me to resolve this problem.
    Best regards.

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Access list with multiple object groups

    Hello Everyone,
    I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
    I am trying to use object-groups where ever i can.  Here is an example.
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.x.x.x 255.255.255.240
    network-object 10.x.x.x 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
    What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
    Thanks

    Hi,
    Seems to work on my test ASA
    Attached it to my current LAN interface.
    ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         WAN
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outbound_access in interface LAN
    access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
    object-group service obj_Meraki_outbound
    service-object tcp destination eq https
    service-object tcp destination eq www
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.255.240
    object-group network obj_Meraki_pub
    description: This group lists all hosts associated with Meraki.
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
    Additional Information:
    access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
    Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
    - Jouni

  • APEX Pages - User Access List with NTLM

    Hi,
    I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
    I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
    1. users (hold user name, and user data)
    2. pages (hold APEX Applications pages)
    3. access_list (hold combined data of users and pages and access flag)
    The last table will give me an SQL that can be used to create page level Authorization Scheme.
    The problem is:
    I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
    Your helps will really help me, and thanks in advance.
    Regards,
    Aulia

    This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
    You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
    That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
    If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
    Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
    I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

  • Hostname(with wildcards) based access-list or policy.

    Is there any way in cisco to use hostnames with wildcards either in ACL, or Policy, class map etc, for example I want to identify following devices with one keyword..for blocking/permit etc
    UKlondon001
    UKlondon002
    UKlondon003
    Uklondon004
    UKlondon005
    I want to capture all these with wildcard UKlondon*
    something like regular expressions...

    You can group them in object-groups. You'll need to configure their names and then create an object group:
    name 10.5.5.5 uklondon001
    name 10.5.5.6 uklondon002
    object-group network UKLONDONS
    network-object host uklondon001
    network-object host uklondon002
    access-list permit tcp any object-group UKLONDONS eq 80
    The above (from memory so don't quote me) will allow any traffic to hit any of those servers on port 80.
    If you're wanting to do this for certain websites like youtube.com or google.com, you'll need to use regex and class-maps.
    HTH,
    John

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Show ip access-lists with remarks?

    We have a 6509E and use ACLs for our SVIs.  When viewing specific ones created I use "show ip access-lists NAME" and when finding remarks I have to constantly go back to the "show run | b NAME" but its seems clunky.  Is there way to see the view of the first with the sequence numbers but show the remarks that I can only find in the show run?

    Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.
    If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????
    And one more question.
    I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???
    how does this affect my ACLs. Is there a way around this ????
    Thanks,
    George

  • Help with an access list please

    Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
    access-list 101 permit ip 10.10.0.0 0.0.255.255 any
    access-list 101 permit ip host 10.13.1.254 any
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
    access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
    access-list 101 deny ip any any
    From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
    Any help you could offer would be appreciated.

    I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
    And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
    I do agree with your second suggestion that:
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
    should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
    HTH
    Rick

Maybe you are looking for