does transit means successful ping or any other traffic or just unidirectional traffic counts ? imho unidirectional traffic cann't produce any successful ping or any other traffic.
now the question is how will the proctor test the validity of the correct solution. if you check the bgp table on AS101 then DSG is valid but if it checked on AS101 and AS300 then the solution is invalid. other way is to simple ping or traceroute i guess ---------------------------------------- > From: [email protected] > Date: Tue, 29 Nov 2011 14:30:16 +0100 > To: [email protected]; [email protected] > Subject: Re: [OSL | CCIE_RS] Vol2-Lab20-Task7.3 BGP - Transit AS filtering > > James, > > I get what you are saying! You have a point there. > > On Tue, Nov 29, 2011 at 7:14 AM, James Roc <[email protected]> wrote: > > > There is no loop in the topology, so there would be no reason for routes > > not to be accepted. > > > > AS101 - AS50 - AS102 - ASXXX - AS300 > > > > In this scenario, AS300 would have routes to AS101 but due to the as-path > > filtering, AS101 would not have routes to AS300. > > > > So, in theory, AS300 could still send packets to AS101, thus transitting > > AS50. > > > > On Mon, Nov 28, 2011 at 11:17 PM, Oluwagbenga Oyebande < > > [email protected]> wrote: > > > >> Saleh, > >> > >> It seems ip as-path access-list 1 permit ^102_[0-9]*$ will not meet the > >> requirements because it will also permit AS300 to transit AS50 > >> > >> James, > >> > >> I thought BGP's inherent loop prevention mechanism takes care of that > >> path you are looking at. If my AS is in the AS path I wouldn't accept such > >> a route. That would be a loop. > >> > >> > >> On Mon, Nov 28, 2011 at 1:55 AM, James Roc <[email protected]> wrote: > >> > >>> yep, I missed the ) thats a typo > >>> > >>> although its the lack of outbound route filtering that Im interested in. > >>> > >>> It looks like the DSG solution doesnt completely prevent AS50 from being > >>> a transit AS. > >>> > >>> On Mon, Nov 28, 2011 at 9:16 AM, Oluwagbenga Oyebande < > >>> [email protected]> wrote: > >>> > >>>> did you mean to type ip as-path access-list 73 permit ^102(_[0-9]+*)* > >>>> ?$ > >>>> > >>>> On Sun, Nov 27, 2011 at 12:30 PM, James Roc <[email protected]>wrote: > >>>> > >>>>> Hi All, > >>>>> > >>>>> This question asks to 'ensure that only directly connected clients of > >>>>> AS102 > >>>>> can transit AS50'. > >>>>> > >>>>> AS101 - AS50 - AS102 - ASXXX > >>>>> > >>>>> The DSG uses the following inbound as-path acl on the AS50 router > >>>>> peering > >>>>> to AS102: > >>>>> > >>>>> ip as-path access-list 73 permit ^102(_[0-9]+?$ > >>>>> > >>>>> This filters the required routes entering AS50 from AS102 but there > >>>>> are no > >>>>> outbound filters. > >>>>> > >>>>> In the following topology, routes from AS101 could pass through AS50 to > >>>>> AS102 and beyond. > >>>>> > >>>>> AS101 - AS50 - AS102 - ASXXX - AS300 > >>>>> > >>>>> So while AS101 would not have a synchronous return route, AS300 could > >>>>> still > >>>>> transit AS50 to reach AS101. > >>>>> > >>>>> Given that changes can only be done on AS50, whats the best way to > >>>>> prevent > >>>>> this? > >>>>> > >>>>> Cheers > >>>>> James > >>>>> _______________________________________________ > >>>>> For more information regarding industry leading CCIE Lab training, > >>>>> please visit www.ipexpert.com > >>>>> > >>>>> Are you a CCNP or CCIE and looking for a job? Check out > >>>>> www.PlatinumPlacement.com > >>>>> > >>>>> To Unsubscribe from this list please visit the following link and > >>>>> follow the directions to unsubscribe. > >>>>> http://onlinestudylist.com/mailman/listinfo/ccie_rs > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> -- > >>>> Olugbenga Oyebande > >>>> MD, DAIT > >>>> 234-803-302-5287 > >>>> http://www.dait-ng.com > >>>> Cisco Unified Network, VPN > >>>> DAIT Enterprise Network Servers > >>>> Broadband Internet Deployment & ISP Consultancy > >>>> > >>>> > >>> > >> > >> > >> -- > >> -- > >> Olugbenga Oyebande > >> MD, DAIT > >> 234-803-302-5287 > >> http://www.dait-ng.com > >> Cisco Unified Network, VPN > >> DAIT Enterprise Network Servers > >> Broadband Internet Deployment & ISP Consultancy > >> > >> > > > > > -- > -- > Olugbenga Oyebande > MD, DAIT > 234-803-302-5287 > http://www.dait-ng.com > Cisco Unified Network, VPN > DAIT Enterprise Network Servers > Broadband Internet Deployment & ISP Consultancy > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > To Unsubscribe from this list please visit the following link and follow the > directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com To Unsubscribe from this list please visit the following link and follow the directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs
