CBAC and Local Policy : Why OSPF neighbor relation dead ?

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Feb 12 2009 - 16:50:34 ARST

Just doing a lab and I run into this issue.

My topology:

R4(Gi0/0)---ethernet --- (Gi0/0)R6

Rack1R4#sh run int gi0/0
Building configuration...

Current configuration : 232 bytes
!
interface GigabitEthernet0/0
 description Connected-to-SW1-Fa0/4
 ip address 183.1.46.4 255.255.255.0
 ip access-group inbound in
 ip access-group outbound out
 ip ospf message-digest-key 1 md5 CISCO
 duplex auto
 speed auto
end

Rack1R4#

Rack1R4#sh ip access-lists outbound
Extended IP access list outbound
    11 permit icmp any any reflect acl-ccie (113 matches)
    12 permit udp any any reflect acl-ccie (33 matches)
    20 permit tcp any any reflect acl-ccie (624 matches)
    30 deny ip any any log
Rack1R4#

Rack1R4#sh ip access-lists inbound
Extended IP access list inbound
    9 permit icmp any any port-unreachable
    10 permit ospf any any (1258 matches)
    11 permit icmp any any time-exceeded (149 matches)
    12 permit icmp any any unreachable (14 matches)
    13 permit icmp any host 183.1.46.4 echo-reply (30 matches)
    20 evaluate acl-ccie
    30 deny ip any any log (31 matches)
Rack1R4#

It works fine, but If I need to push traffic out from the router R4 and also
need the Reflexive ACL to not drop the traffic that I originate from the
router, like this one:

Rack1R4#telnet 183.1.46.6
Trying 183.1.46.6 ...
Feb 12 18:23:37.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
Feb 12 18:23:39.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
% Connection reset by user
Rack1R4

Then I need to set a local policy pointing to any loopback (another option
could be adding more acls inside inbound access-list), in that way I make my
traffic Flow Throw through the router, and not to be originated from the
router itself. Good so far.

Then in R4:

Rack1R4#
route-map POL-LOCAL permit 10
 set interface Loopback0

and

Rack1R4(config)#ip local policy route-map POL-LOCAL

Then in R4 I can telnet R6:

Rack1R4#telnet 183.1.46.6
Trying 183.1.46.6 ... Open
User Access Verification

Password:
Rack1R6>

But OSPF dies:
-------------

Rack1R4#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
150.1.6.6 1 FULL/DR 00:00:38 183.1.46.6
GigabitEthernet0/0
150.1.5.5 0 FULL/ - 00:00:32 183.1.45.5 Serial0/2/0
150.1.5.5 0 FULL/ - 00:01:39 183.1.0.5
Serial0/3/0.345
Rack1R4#

and

Rack1R6#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 FULL/BDR 00:00:37 183.1.46.4
GigabitEthernet0/0
Rack1R6#

In R6 I perform:
---------------------------------

Rack1R6#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
Rack1R6#
Rack1R6#
000119: *Feb 12 19:33:56.213: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
detached
Rack1R6#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 EXSTART/DR 00:00:33 183.1.46.4
GigabitEthernet0/0
Rack1R6#

Rack1R4#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
150.1.6.6 1 EXCHANGE/BDR 00:00:39 183.1.46.6
GigabitEthernet0/0
150.1.5.5 0 FULL/ - 00:00:39 183.1.45.5 Serial0/2/0
150.1.5.5 0 EXCHANGE/ - 00:01:59 183.1.0.5
Serial0/3/0.345
Rack1R4#

Why OSPF neighbord relationship dead when I add local policy routing ? Any one
one an idea ?

Regards

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST