From: AdebolaA@mtnnigeria.net
Date: Tue Nov 09 2004 - 06:56:08 GMT-3
It is simply because the OSPF protocol does not have the characteristics of
the high port low port scenario as such the line permit ospf any any does
actually permit OPSF traffic. The mistake here is that you believe the out
access-list does stop traffic generated within the router, it does not. If
he did not have the permit ospf any any line then he will have to find a way
to policy route the traffic to another interface as pointed out by some
others, reflect and evaluate so the router allows return traffic in.
Bola
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Kian
Wah Lai
Sent: 07 November 2004 07:03
To: METOO CCIE
Cc: ccielab@groupstudy.com
Subject: Re: Reflexive ACL and traffic generated by the router
no idea why your OSPF is able to come up. have you tried rebooting and
see if it is still up?
the easiest way to solve your problem would be (without complicating
things too much)
ip access-list extended inboundfilters
permit tcp any any eq bgp
permit tcp any eq bgp any
permit ospf any any
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
deny ip any any
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
permit udp any any reflect udptraffic
permit icmp any any reflect icmptraffic
permit ip any any
no ip local policy route-map JNK123
Regards,
Kian Wah
3 routers and one PIX rental at SGD2/hr
http://rack.sgcug.org/
Singapore Cisco User Group
METOO CCIE wrote:
> Thanks for the suggestion Kian and Anthony.
>
> I tried ip local policy and I can see reverse temporary entries get
> established when this router initiates ip traffic going out of
> Ethernet 0/0.
>
> However, now my BGP connection with 110.110.110.9 does not come up.
> This neighbor is on Eth 0/0, where reflexive ACL is applied.
>
> Here is the extra config that I applied in additoin to the config in
> my first email. Any idea what can I change to get BGP working?
>
> !
> ip local policy route-map JNK123
> !
> access-list 181 deny tcp any any eq bgp ! this still does not
> allow bgp nei to come up
> access-list 181 deny ospf any any ! this allows ospf to come
> up fine
> access-list 181 permit ip any any
> !
> route-map JNK123 permit 10
> match ip address 181
> set interface Loopback0
> !
> router bgp 167
> bgp router-id 1.1.1.1
> neighbor 110.110.110.9 remote-as 60109
> !
> !
> interface Loopback0
> ip address 1.1.1.1 255.255.255.0
> !
> I keep getting following messages:
> %BGP-3-NOTIFICATION: sent to neighbor 110.110.110.9 4/0 (hold time
> expired) 0 bytes
>
> sh ip bgp nei:
> ------------------
> BGP neighbor is 110.110.110.9, remote AS 60109, external link
> BGP version 4, remote router ID 110.110.110.9
> BGP state = OpenConfirm
>
> Thanks
> -bobby
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
> FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3