RE: Difference between these two access-lists

From: Charles Church (cchurch@wamnet.com)
Date: Wed Jun 04 2003 - 09:55:44 GMT-3

• Next message: Mike Williams: "RE: 4506 on 12.1(12c)EW - mgmt interface ??"
• Previous message: Brian Sims: "IP Phone intercom integration"
• Maybe in reply to: Mike Williams: "Difference between these two access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mike, you're on the right track. OSPF uses it's own layer 3 protocol,
rather than TCP, UDP, etc. It's protocol 89. That's why it's listed as a
protocol option in ACLs, rather than a port.

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 585-233-2706
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mike Williams
Sent: Wednesday, June 04, 2003 1:00 AM
To: CCIELab@Groupstudy.com
Subject: Difference between these two access-lists

Working on a scenario where I have to make an ACL on R7 to deny all
other routers (bascially one other router R6 = 150.50.7.6) except router
5 (150.50.7.5) from establishing an OSPF adjacency with R7 (150.50.7.7).
I came up with this ACL:

access-list 101 permit ospf host 150.50.7.5 host 150.50.7.7
access-list 101 deny ospf any any
access-list 101 permit ip any any

But R7 would never establish an adjacency with R5. So I changed it
around to this:

access-list 101 deny ospf host 150.50.7.6 any
access-list 101 permit ip any any

Then it established an adjacency with R5 and everything was fine. Why
did this ACL work and mine didn't? (I'm not arguing that mine should
have worked, as obviously it didn't)

I think I figured it out, but I'll still post this to see if I'm right.
My ACL didn't work because my list uses 150.50.7.5 as the source and
150.50.7.7 as the destination but with OSPF the destination would be
224.0.0.5 (or 224.0.0.6 if R7 is a DR/BDR)? right? So therefore it gets
denied by the "deny ospf any any" in my ACL.

If that's the case, then when you "permit ospf <address> any" does that
"any" really matter since the dest will be 224.0.0.5 or 224.0.0.6,
right?

Does OSPF use TCP for it's transport? Is this ACL:

access-list 101 deny tcp host 150.50.7.6 host 224.0.0.5
access-list 101 deny tcp host 150.50.7.6 host 224.0.0.6

the same as:

access-list 101 deny ospf host 150.50.7.6 any

?!?!!?! I'm trying to get a good handle on what using the "ospf"
keyword after deny is doing specifically.......

TIA,
Mike W.

• Next message: Mike Williams: "RE: 4506 on 12.1(12c)EW - mgmt interface ??"
• Previous message: Brian Sims: "IP Phone intercom integration"
• Maybe in reply to: Mike Williams: "Difference between these two access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:52 GMT-3