RE: Reflexive ACL and traffic generated by the router

From: AdebolaA@mtnnigeria.net
Date: Tue Nov 09 2004 - 07:37:10 GMT-3

• Next message: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Previous message: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Are you saying you setup an OPSF nei on the outside and it was denied?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Kian
Wah Lai
Sent: 09 November 2004 11:18
To: Adebola Adegbonmire [ MTN - UBA ]
Cc: metooccie@hotmail.com; ccielab@groupstudy.com
Subject: Re: Reflexive ACL and traffic generated by the router

His original ACL doesn't have the 'permit ospf any any', I asked him to
add it in to make it work. I've also lab up his configuration and it
also shows that OSPF can't come up. His OSPF is able to work because
it's on the inside network (I thought it was on the outside) and is not
affected by the ACL.

Regards,
Kian Wah
3 routers and one PIX rental at SGD2/hr
http://rack.sgcug.org/
Singapore Cisco User Group

AdebolaA@mtnnigeria.net wrote:

>It is simply because the OSPF protocol does not have the characteristics of
>the high port low port scenario as such the line permit ospf any any does
>actually permit OPSF traffic. The mistake here is that you believe the out
>access-list does stop traffic generated within the router, it does not. If
>he did not have the permit ospf any any line then he will have to find a
way
>to policy route the traffic to another interface as pointed out by some
>others, reflect and evaluate so the router allows return traffic in.
>
>Bola
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Kian
>Wah Lai
>Sent: 07 November 2004 07:03
>To: METOO CCIE
>Cc: ccielab@groupstudy.com
>Subject: Re: Reflexive ACL and traffic generated by the router
>
>no idea why your OSPF is able to come up. have you tried rebooting and
>see if it is still up?
>
>the easiest way to solve your problem would be (without complicating
>things too much)
>ip access-list extended inboundfilters
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit ospf any any
> evaluate tcptraffic
> evaluate udptraffic
> evaluate icmptraffic
> deny ip any any
>ip access-list extended outboundfilters
> permit tcp any any reflect tcptraffic
> permit udp any any reflect udptraffic
> permit icmp any any reflect icmptraffic
> permit ip any any
>no ip local policy route-map JNK123
>
>Regards,
>Kian Wah
>3 routers and one PIX rental at SGD2/hr
>http://rack.sgcug.org/
>Singapore Cisco User Group
>
>
>
>METOO CCIE wrote:
>
>
>
>>Thanks for the suggestion Kian and Anthony.
>>
>>I tried ip local policy and I can see reverse temporary entries get
>>established when this router initiates ip traffic going out of
>>Ethernet 0/0.
>>
>>However, now my BGP connection with 110.110.110.9 does not come up.
>>This neighbor is on Eth 0/0, where reflexive ACL is applied.
>>
>>Here is the extra config that I applied in additoin to the config in
>>my first email. Any idea what can I change to get BGP working?
>>
>>!
>>ip local policy route-map JNK123
>>!
>>access-list 181 deny tcp any any eq bgp ! this still does not
>>allow bgp nei to come up
>>access-list 181 deny ospf any any ! this allows ospf to come
>>up fine
>>access-list 181 permit ip any any
>>!
>>route-map JNK123 permit 10
>>match ip address 181
>>set interface Loopback0
>>!
>>router bgp 167
>>bgp router-id 1.1.1.1
>>neighbor 110.110.110.9 remote-as 60109
>>!
>>!
>>interface Loopback0
>>ip address 1.1.1.1 255.255.255.0
>>!
>>I keep getting following messages:
>>%BGP-3-NOTIFICATION: sent to neighbor 110.110.110.9 4/0 (hold time
>>expired) 0 bytes
>>
>>sh ip bgp nei:
>>------------------
>>BGP neighbor is 110.110.110.9, remote AS 60109, external link
>> BGP version 4, remote router ID 110.110.110.9
>> BGP state = OpenConfirm
>>
>>Thanks
>>-bobby
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's
>>FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>NOTE: This e-mail message is subject to the MTN Nigeria disclaimer see
>http://www.mtnonline.com/contact/disclaimer.asp

• Next message: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Previous message: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Maybe in reply to: METOO CCIE: "Reflexive ACL and traffic generated by the router"
• Next in thread: Kian Wah Lai: "Re: Reflexive ACL and traffic generated by the router"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:40 GMT-3