해결됨: Ignore ACLs.

cnsa · ‎06-05-2024

We've configured ACLs to block access from the outside, so our OSPF neighbors are also down, which is a challenge.
The condition says not to use ACL Permit, only Deny, does anyone have any idea?

M02@rt37 · ‎06-05-2024

Hello @cnsa

You can achieve this by being selective about what you deny, ensuring that OSPF traffic is still allowed through by not explicitly denying it.

ip access-list extended OUTSIDE-IN
deny ip any any eq 80 ** Deny HTTP traffic
deny ip any any eq 443 ** Deny HTTPS traffic
deny ip any any eq 23 ** Deny Telnet traffic
deny ip any any eq 22 ** Deny SSH traffic
deny ip any any eq 3389 ** Deny RDP traffic
** Do not explicitly deny OSPF traffic (protocol 89)
** implicit deny all other traffic

--

In this configuration:

Specific types of traffic such as HTTP, HTTPS, Telnet, SSH, and RDP are explicitly denied.
OSPF traffic (protocol 89) is not mentioned and thus is not denied.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

원본 게시물의 솔루션 보기

MHM Cisco World · ‎06-05-2024

The Answer to your Q is your other Q

without permit ip any any the traffic will drop becuase ACL have implicit deny any any in end.

So you need to use permit in ACL or use CoPP which as your previous Q not work in packet tracer

MHM

원본 게시물의 솔루션 보기

MHM Cisco World · ‎06-05-2024

this lab for you @cnsa
the ACL end with hidden deny any any
so what you want to achieve can t be done without using permit OR using CoPP

lab I appply ACL deny only ICMP but since we dont use permit the ospf also deny by hidden ACL

MHM

원본 게시물의 솔루션 보기

M02@rt37 · ‎06-05-2024

Hello @cnsa

You can achieve this by being selective about what you deny, ensuring that OSPF traffic is still allowed through by not explicitly denying it.

ip access-list extended OUTSIDE-IN
deny ip any any eq 80 ** Deny HTTP traffic
deny ip any any eq 443 ** Deny HTTPS traffic
deny ip any any eq 23 ** Deny Telnet traffic
deny ip any any eq 22 ** Deny SSH traffic
deny ip any any eq 3389 ** Deny RDP traffic
** Do not explicitly deny OSPF traffic (protocol 89)
** implicit deny all other traffic

--

In this configuration:

Specific types of traffic such as HTTP, HTTPS, Telnet, SSH, and RDP are explicitly denied.
OSPF traffic (protocol 89) is not mentioned and thus is not denied.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎06-05-2024

that Sure not work
but anyway he OK with this solution
MHM

MHM Cisco World · ‎06-05-2024

The Answer to your Q is your other Q

without permit ip any any the traffic will drop becuase ACL have implicit deny any any in end.

So you need to use permit in ACL or use CoPP which as your previous Q not work in packet tracer

MHM

MHM Cisco World · ‎06-05-2024

this lab for you @cnsa
the ACL end with hidden deny any any
so what you want to achieve can t be done without using permit OR using CoPP

lab I appply ACL deny only ICMP but since we dont use permit the ospf also deny by hidden ACL

MHM

cnsa · ‎06-05-2024

Thank you very much for your response.