From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Thu Feb 12 2009 - 19:21:33 ARST
Nice one buddy!
So, in total, there were 2 issues here, right?
1) Outbound ACL when doing local-policy
2) TTL check when doing local-policy.
On Thu, Feb 12, 2009 at 8:46 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>wrote:
> Good, it works :
>
> Excluding OSPF from the local routing policy:
>
> My route-map adding "match ip address 122":
>
> Rack1R4#sh run | sec route-map
> ip local policy route-map POL-LOCAL
> route-map POL-LOCAL permit 10
> match ip address 122
> set interface Loopback0
> Rack1R4#
>
> So ACL 122 is like:
>
> Rack1R4#sh ip access-lists 122
> Extended IP access list 122
> 10 deny ospf any any (24 matches)
> 20 permit ip any any (1 match)
> Rack1R4#
>
> And then :
>
> Rack1R6#
> 000147: *Feb 12 21:34:55.944: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
> GigabitEthernet0/0 from EXSTART to DOWN, Neighbor Down: Too many
> retransmissions
> Rack1R6#
> Rack1R6#
> Rack1R6#sh ip ospf neighbor
> Neighbor ID Pri State Dead Time Address Interface
> 150.1.4.4 1 DOWN/DROTHER - 183.1.46.4
> GigabitEthernet0/0
> Rack1R6#
> 000148: *Feb 12 21:35:55.944: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
> GigabitEthernet0/0 from DOWN to DOWN, Neighbor Down: Ignore timer expired
> 000149: *Feb 12 21:35:55.948: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
> GigabitEthernet0/0 from LOADING to FULL, Loading Done
> Rack1R6#
> Neighbor ID Pri State Dead Time Address Interface
> 150.1.4.4 1 FULL/DROTHER 00:00:37 183.1.46.4
> GigabitEthernet0/0
> Rack1R6#
> 000150: *Feb 12 21:36:02.160: %BGP-5-ADJCHANGE: neighbor 183.1.0.3 Up
> Rack1R6#
>
> OSPF relationship goes up.
>
> Thanks to everydoby,
>
> Regards
>
> ----- Original Message -----
> From: paul cosgrove
> To: Edouard Zorrilla
> Cc: security@groupstudy.com ; ccielab@groupstudy.com
> Sent: Thursday, February 12, 2009 2:42 PM
> Subject: Re: CBAC and Local Policy : Why OSPF neighbor relation dead ?
>
>
> Hi Edouard,
>
> Exclude OSPF from your policy routing. The packets will have a TTL of 1
> and
> so it looks like they are being dropped when returning on the loopback.
> Even
> if the TTL was higher, your outbound ACL does not permit OSPF.
>
> Paul.
>
>
> On Thu, Feb 12, 2009 at 6:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
> wrote:
>
> Just doing a lab and I run into this issue.
>
> My topology:
>
> R4(Gi0/0)---ethernet --- (Gi0/0)R6
>
> Rack1R4#sh run int gi0/0
> Building configuration...
>
> Current configuration : 232 bytes
> !
> interface GigabitEthernet0/0
> description Connected-to-SW1-Fa0/4
> ip address 183.1.46.4 255.255.255.0
> ip access-group inbound in
> ip access-group outbound out
> ip ospf message-digest-key 1 md5 CISCO
> duplex auto
> speed auto
> end
>
> Rack1R4#
>
>
> Rack1R4#sh ip access-lists outbound
> Extended IP access list outbound
> 11 permit icmp any any reflect acl-ccie (113 matches)
> 12 permit udp any any reflect acl-ccie (33 matches)
> 20 permit tcp any any reflect acl-ccie (624 matches)
> 30 deny ip any any log
> Rack1R4#
>
> Rack1R4#sh ip access-lists inbound
> Extended IP access list inbound
> 9 permit icmp any any port-unreachable
> 10 permit ospf any any (1258 matches)
> 11 permit icmp any any time-exceeded (149 matches)
> 12 permit icmp any any unreachable (14 matches)
> 13 permit icmp any host 183.1.46.4 echo-reply (30 matches)
> 20 evaluate acl-ccie
> 30 deny ip any any log (31 matches)
> Rack1R4#
>
> It works fine, but If I need to push traffic out from the router R4 and
> also
> need the Reflexive ACL to not drop the traffic that I originate from the
> router, like this one:
>
> Rack1R4#telnet 183.1.46.6
> Trying 183.1.46.6 ...
> Feb 12 18:23:37.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
> 183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
> Feb 12 18:23:39.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
> 183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
> % Connection reset by user
> Rack1R4
>
> Then I need to set a local policy pointing to any loopback (another
> option
> could be adding more acls inside inbound access-list), in that way I
> make
> my
> traffic Flow Throw through the router, and not to be originated from the
> router itself. Good so far.
>
> Then in R4:
>
> Rack1R4#
> route-map POL-LOCAL permit 10
> set interface Loopback0
>
> and
>
> Rack1R4(config)#ip local policy route-map POL-LOCAL
>
>
> Then in R4 I can telnet R6:
>
> Rack1R4#telnet 183.1.46.6
> Trying 183.1.46.6 ... Open
> User Access Verification
>
> Password:
> Rack1R6>
>
> But OSPF dies:
> -------------
>
> Rack1R4#sh ip ospf neighbor
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.1.6.6 1 FULL/DR 00:00:38 183.1.46.6
> GigabitEthernet0/0
> 150.1.5.5 0 FULL/ - 00:00:32 183.1.45.5
> Serial0/2/0
> 150.1.5.5 0 FULL/ - 00:01:39 183.1.0.5
> Serial0/3/0.345
> Rack1R4#
>
> and
>
> Rack1R6#sh ip ospf neighbor
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.1.4.4 1 FULL/BDR 00:00:37 183.1.46.4
> GigabitEthernet0/0
> Rack1R6#
>
> In R6 I perform:
> ---------------------------------
>
> Rack1R6#clear ip ospf process
> Reset ALL OSPF processes? [no]: yes
> Rack1R6#
> Rack1R6#
> 000119: *Feb 12 19:33:56.213: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4
> on
> GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
> detached
> Rack1R6#sh ip ospf neighbor
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.1.4.4 1 EXSTART/DR 00:00:33 183.1.46.4
> GigabitEthernet0/0
> Rack1R6#
>
> Rack1R4#sh ip ospf neighbor
>
> Neighbor ID Pri State Dead Time Address
> Interface
> 150.1.6.6 1 EXCHANGE/BDR 00:00:39 183.1.46.6
> GigabitEthernet0/0
> 150.1.5.5 0 FULL/ - 00:00:39 183.1.45.5
> Serial0/2/0
> 150.1.5.5 0 EXCHANGE/ - 00:01:59 183.1.0.5
> Serial0/3/0.345
> Rack1R4#
>
> Why OSPF neighbord relationship dead when I add local policy routing ?
> Any
> one
> one an idea ?
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST