From: Mike Williams (ccie2be@swbell.net)
Date: Wed Jun 04 2003 - 01:59:33 GMT-3
Working on a scenario where I have to make an ACL on R7 to deny all
other routers (bascially one other router R6 = 150.50.7.6) except router
5 (150.50.7.5) from establishing an OSPF adjacency with R7 (150.50.7.7).
I came up with this ACL:
access-list 101 permit ospf host 150.50.7.5 host 150.50.7.7
access-list 101 deny ospf any any
access-list 101 permit ip any any
But R7 would never establish an adjacency with R5. So I changed it
around to this:
access-list 101 deny ospf host 150.50.7.6 any
access-list 101 permit ip any any
Then it established an adjacency with R5 and everything was fine. Why
did this ACL work and mine didn't? (I'm not arguing that mine should
have worked, as obviously it didn't)
I think I figured it out, but I'll still post this to see if I'm right.
My ACL didn't work because my list uses 150.50.7.5 as the source and
150.50.7.7 as the destination but with OSPF the destination would be
224.0.0.5 (or 224.0.0.6 if R7 is a DR/BDR)? right? So therefore it gets
denied by the "deny ospf any any" in my ACL.
If that's the case, then when you "permit ospf <address> any" does that
"any" really matter since the dest will be 224.0.0.5 or 224.0.0.6,
right?
Does OSPF use TCP for it's transport? Is this ACL:
access-list 101 deny tcp host 150.50.7.6 host 224.0.0.5
access-list 101 deny tcp host 150.50.7.6 host 224.0.0.6
the same as:
access-list 101 deny ospf host 150.50.7.6 any
?!?!!?! I'm trying to get a good handle on what using the "ospf"
keyword after deny is doing specifically.......
TIA,
Mike W.
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:52 GMT-3