From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Feb 12 2009 - 18:38:54 ARST
Thanks for getting back to me,
I set up the access-list outbound with ospf:
Before the post on GroupStudy:
Rack1R4#sh ip access-lists outbound
Extended IP access list outbound
11 permit icmp any any reflect acl-ccie (114 matches)
12 permit udp any any reflect acl-ccie (33 matches)
20 permit tcp any any reflect acl-ccie (1706 matches)
30 deny ip any any log
Now:
-----
Rack1R4(config)#ip access-list extended outbound
Rack1R4(config-ext-nacl)#10 permit ospf any any
Rack1R4(config-ext-nacl)#do sh ip access-list outbound
Extended IP access list outbound
10 permit ospf any any
11 permit icmp any any reflect acl-ccie (114 matches)
12 permit udp any any reflect acl-ccie (33 matches)
20 permit tcp any any reflect acl-ccie (1718 matches)
30 deny ip any any log
Rack1R4(config-ext-nacl)#
Feb 12 20:33:04.946: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.6.6 on
GigabitEthernet0/0 from EXCHANGE to DOWN, Neighbor Down: Too many
retransmissions
Rack1R4(config-ext-nacl)#
Feb 12 20:34:04.939: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.6.6 on
GigabitEthernet0/0 from DOWN to DOWN, Neighbor Down: Ignore timer expired
Rack1R4(config-ext-nacl)#do sh ip access-list outbound
Extended IP access list outbound
10 permit ospf any any
11 permit icmp any any reflect acl-ccie (114 matches)
12 permit udp any any reflect acl-ccie (33 matches)
20 permit tcp any any reflect acl-ccie (1740 matches)
30 deny ip any any log
Rack1R4(config-ext-nacl)#
Nothing pass thru acl #10 inside access-list outbound. Still OSPF relation
with R6 is down, does not come up.
Let me try out excluding OSPF from my policy routing as Paul stated and see
what happens,
Regards
----- Original Message -----
From: "Sadiq Yakasai" <sadiqtanko@gmail.com>
To: "paul cosgrove" <paul.cosgrove@gmail.com>
Cc: "Edouard Zorrilla" <ezorrilla@tsf.com.pe>; <security@groupstudy.com>;
<ccielab@groupstudy.com>
Sent: Thursday, February 12, 2009 2:51 PM
Subject: Re: CBAC and Local Policy : Why OSPF neighbor relation dead ?
> Hi Ed,
>
> In the first instance, your OSPF traffic was able to leave the router
> because locally generated traffic is not subject to ACLs configured on the
> router.
>
> However, after the policy based routing, your have emulated your locally
> originated traffic (including your OSPF) to be sourced from one hop away.
> This now becomes subjected to your ACL.
>
> As for the issue with TTL security, I am not sure if its turned on by
> default on a router, this one calls for labb'ing I would say. Would you do
> the honors of letting us know if its effective please?
>
> Thanks and HTH a little,
>
> Sadiq
>
> On Thu, Feb 12, 2009 at 7:42 PM, paul cosgrove
> <paul.cosgrove@gmail.com>wrote:
>
>> Hi Edouard,
>>
>> Exclude OSPF from your policy routing. The packets will have a TTL of 1
>> and
>> so it looks like they are being dropped when returning on the loopback.
>> Even if the TTL was higher, your outbound ACL does not permit OSPF.
>>
>> Paul.
>>
>> On Thu, Feb 12, 2009 at 6:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe
>> >wrote:
>>
>> > Just doing a lab and I run into this issue.
>> >
>> > My topology:
>> >
>> > R4(Gi0/0)---ethernet --- (Gi0/0)R6
>> >
>> > Rack1R4#sh run int gi0/0
>> > Building configuration...
>> >
>> > Current configuration : 232 bytes
>> > !
>> > interface GigabitEthernet0/0
>> > description Connected-to-SW1-Fa0/4
>> > ip address 183.1.46.4 255.255.255.0
>> > ip access-group inbound in
>> > ip access-group outbound out
>> > ip ospf message-digest-key 1 md5 CISCO
>> > duplex auto
>> > speed auto
>> > end
>> >
>> > Rack1R4#
>> >
>> >
>> > Rack1R4#sh ip access-lists outbound
>> > Extended IP access list outbound
>> > 11 permit icmp any any reflect acl-ccie (113 matches)
>> > 12 permit udp any any reflect acl-ccie (33 matches)
>> > 20 permit tcp any any reflect acl-ccie (624 matches)
>> > 30 deny ip any any log
>> > Rack1R4#
>> >
>> > Rack1R4#sh ip access-lists inbound
>> > Extended IP access list inbound
>> > 9 permit icmp any any port-unreachable
>> > 10 permit ospf any any (1258 matches)
>> > 11 permit icmp any any time-exceeded (149 matches)
>> > 12 permit icmp any any unreachable (14 matches)
>> > 13 permit icmp any host 183.1.46.4 echo-reply (30 matches)
>> > 20 evaluate acl-ccie
>> > 30 deny ip any any log (31 matches)
>> > Rack1R4#
>> >
>> > It works fine, but If I need to push traffic out from the router R4 and
>> > also
>> > need the Reflexive ACL to not drop the traffic that I originate from
>> > the
>> > router, like this one:
>> >
>> > Rack1R4#telnet 183.1.46.6
>> > Trying 183.1.46.6 ...
>> > Feb 12 18:23:37.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
>> > 183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
>> > Feb 12 18:23:39.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
>> > 183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
>> > % Connection reset by user
>> > Rack1R4
>> >
>> > Then I need to set a local policy pointing to any loopback (another
>> option
>> > could be adding more acls inside inbound access-list), in that way I
>> > make
>> > my
>> > traffic Flow Throw through the router, and not to be originated from
>> > the
>> > router itself. Good so far.
>> >
>> > Then in R4:
>> >
>> > Rack1R4#
>> > route-map POL-LOCAL permit 10
>> > set interface Loopback0
>> >
>> > and
>> >
>> > Rack1R4(config)#ip local policy route-map POL-LOCAL
>> >
>> >
>> > Then in R4 I can telnet R6:
>> >
>> > Rack1R4#telnet 183.1.46.6
>> > Trying 183.1.46.6 ... Open
>> > User Access Verification
>> >
>> > Password:
>> > Rack1R6>
>> >
>> > But OSPF dies:
>> > -------------
>> >
>> > Rack1R4#sh ip ospf neighbor
>> >
>> > Neighbor ID Pri State Dead Time Address
>> Interface
>> > 150.1.6.6 1 FULL/DR 00:00:38 183.1.46.6
>> > GigabitEthernet0/0
>> > 150.1.5.5 0 FULL/ - 00:00:32 183.1.45.5
>> > Serial0/2/0
>> > 150.1.5.5 0 FULL/ - 00:01:39 183.1.0.5
>> > Serial0/3/0.345
>> > Rack1R4#
>> >
>> > and
>> >
>> > Rack1R6#sh ip ospf neighbor
>> >
>> > Neighbor ID Pri State Dead Time Address
>> Interface
>> > 150.1.4.4 1 FULL/BDR 00:00:37 183.1.46.4
>> > GigabitEthernet0/0
>> > Rack1R6#
>> >
>> > In R6 I perform:
>> > ---------------------------------
>> >
>> > Rack1R6#clear ip ospf process
>> > Reset ALL OSPF processes? [no]: yes
>> > Rack1R6#
>> > Rack1R6#
>> > 000119: *Feb 12 19:33:56.213: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4
>> > on
>> > GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
>> > detached
>> > Rack1R6#sh ip ospf neighbor
>> >
>> > Neighbor ID Pri State Dead Time Address
>> Interface
>> > 150.1.4.4 1 EXSTART/DR 00:00:33 183.1.46.4
>> > GigabitEthernet0/0
>> > Rack1R6#
>> >
>> > Rack1R4#sh ip ospf neighbor
>> >
>> > Neighbor ID Pri State Dead Time Address
>> Interface
>> > 150.1.6.6 1 EXCHANGE/BDR 00:00:39 183.1.46.6
>> > GigabitEthernet0/0
>> > 150.1.5.5 0 FULL/ - 00:00:39 183.1.45.5
>> > Serial0/2/0
>> > 150.1.5.5 0 EXCHANGE/ - 00:01:59 183.1.0.5
>> > Serial0/3/0.345
>> > Rack1R4#
>> >
>> > Why OSPF neighbord relationship dead when I add local policy routing ?
>> Any
>> > one
>> > one an idea ?
>> >
>> > Regards
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST