From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Feb 12 2009 - 17:15:58 ARST
By Bad Subject : Reflexive ACL and Local Policy : Why OSPF neighbord relation
dead ?
----- Original Message -----
From: Edouard Zorrilla
To: security@groupstudy.com
Cc: ccielab@groupstudy.com
Sent: Thursday, February 12, 2009 1:50 PM
Subject: CBAC and Local Policy : Why OSPF neighbor relation dead ?
Just doing a lab and I run into this issue.
My topology:
R4(Gi0/0)---ethernet --- (Gi0/0)R6
Rack1R4#sh run int gi0/0
Building configuration...
Current configuration : 232 bytes
!
interface GigabitEthernet0/0
description Connected-to-SW1-Fa0/4
ip address 183.1.46.4 255.255.255.0
ip access-group inbound in
ip access-group outbound out
ip ospf message-digest-key 1 md5 CISCO
duplex auto
speed auto
end
Rack1R4#
Rack1R4#sh ip access-lists outbound
Extended IP access list outbound
11 permit icmp any any reflect acl-ccie (113 matches)
12 permit udp any any reflect acl-ccie (33 matches)
20 permit tcp any any reflect acl-ccie (624 matches)
30 deny ip any any log
Rack1R4#
Rack1R4#sh ip access-lists inbound
Extended IP access list inbound
9 permit icmp any any port-unreachable
10 permit ospf any any (1258 matches)
11 permit icmp any any time-exceeded (149 matches)
12 permit icmp any any unreachable (14 matches)
13 permit icmp any host 183.1.46.4 echo-reply (30 matches)
20 evaluate acl-ccie
30 deny ip any any log (31 matches)
Rack1R4#
It works fine, but If I need to push traffic out from the router R4 and also
need the Reflexive ACL to not drop the traffic that I originate from the
router, like this one:
Rack1R4#telnet 183.1.46.6
Trying 183.1.46.6 ...
Feb 12 18:23:37.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
Feb 12 18:23:39.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
% Connection reset by user
Rack1R4
Then I need to set a local policy pointing to any loopback (another option
could be adding more acls inside inbound access-list), in that way I make my
traffic Flow Throw through the router, and not to be originated from the
router itself. Good so far.
Then in R4:
Rack1R4#
route-map POL-LOCAL permit 10
set interface Loopback0
and
Rack1R4(config)#ip local policy route-map POL-LOCAL
Then in R4 I can telnet R6:
Rack1R4#telnet 183.1.46.6
Trying 183.1.46.6 ... Open
User Access Verification
Password:
Rack1R6>
But OSPF dies:
-------------
Rack1R4#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.6.6 1 FULL/DR 00:00:38 183.1.46.6
GigabitEthernet0/0
150.1.5.5 0 FULL/ - 00:00:32 183.1.45.5
Serial0/2/0
150.1.5.5 0 FULL/ - 00:01:39 183.1.0.5
Serial0/3/0.345
Rack1R4#
and
Rack1R6#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 FULL/BDR 00:00:37 183.1.46.4
GigabitEthernet0/0
Rack1R6#
In R6 I perform:
---------------------------------
Rack1R6#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
Rack1R6#
Rack1R6#
000119: *Feb 12 19:33:56.213: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
detached
Rack1R6#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.4.4 1 EXSTART/DR 00:00:33 183.1.46.4
GigabitEthernet0/0
Rack1R6#
Rack1R4#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
150.1.6.6 1 EXCHANGE/BDR 00:00:39 183.1.46.6
GigabitEthernet0/0
150.1.5.5 0 FULL/ - 00:00:39 183.1.45.5
Serial0/2/0
150.1.5.5 0 EXCHANGE/ - 00:01:59 183.1.0.5
Serial0/3/0.345
Rack1R4#
Why OSPF neighbord relationship dead when I add local policy routing ? Any
one one an idea ?
Regards
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST