ā03-08-2004 01:31 AM - edited ā03-02-2019 02:06 PM
Hello,
I have an access-list permitting only Radius traffic out the ethernet:
access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1645
access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1812
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip access-group 101 out
no ip mroute-cache
speed auto
half-duplex
no cdp enable
Ospf is enable :
router ospf 1
network 10.0.0.1 0.0.0.0 area 2
But OSPF is still building neighborship on the fastethernet. How come?
Thanks for your help, Laurent
ā03-08-2004 05:29 AM
Are you determining that its building neighbor relationships by looking at this router or other ones? If so, I'm hazarding a guess that your router is receiving OSPF hello's from the other routers (your ACL is outbound only) and trying to build the relationships.
Two things I'd do is:
1) Put in an actual "deny" statement and log it so you can see what traffic is denied.
2) Check the other routers that are its "neighbors" and make sure that they see the traffic.
ā03-08-2004 05:52 AM
Hello Laurent.
Craig is right, and I tested this scenario: if you configure the access-list to work inbound, it will kill your OSPF neighbor relationships.
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip access-group 101 in
no ip mroute-cache
speed auto
half-duplex
no cdp enable
Regards,
GP
ā03-08-2004 06:21 AM
This is normal behavior. Packets originating from the router are not subjected to an outbound ACL.
Hope this helps,
ā03-08-2004 06:59 AM
thanks a lot for your reply.As you say, packets originating from the router are not subjected to an outbound ACL.
Regards, Laurent
ā03-08-2004 08:38 AM
hi hritter,
What other situation is there where a packet is not subjected to an ACL?
Thanks
ā03-08-2004 10:41 AM
This is the only condition under which packets are not subjected to the ACL.
ā04-16-2018 04:30 PM
Is this for situations in which you don't want to end your acl with a permit ip any any? Thanks
ā03-08-2004 08:10 PM
I'm not sure, this is strictly a guess on my part;
The OSPF updates are multicast traffic and possibly not subject to the ACLs?
And / or once enabled, the OSPF updates are implicitly enabled, regardless of the ACLs, since it would be (at least on the surface) "stupid" to enable a dynamic routing protocol, then cut it off at the knees with an ACL. So Cisco (perhaps) decided that if you enable OSPF (or other routing protocol), you probably want that traffic passed without screwing with adjusting an access list to do so.
If you create and apply a null access-list, routing updates still make it through, right? The invisible "deny all" at the end doesn't block the routing table updates, does it?
Again, I'm not sure and don't have time to play with it anytime soon in the Lab, but these would be my first two guesses off the top of my head.
FWIW
Scott
ā03-09-2004 04:42 AM
I can definitely say that is not the case. Routing traffic is definitely affected by ACL's and you must be careful to construct your ACL's to allow them through if that is desired.
ā03-09-2004 04:52 AM
This only applies in the context of inbound ACL, not outbound.
ā03-12-2004 07:26 AM
Hi,
This may be a stupid question but if you don't want to form adjacencies on the f0/0 interface then why enable OSPF on that interface? e.g.
Router OSPF 1
network 10.0.0.1 0.0.0.0 area2
??
ā03-12-2004 01:16 PM
To get the network configured on that interface into ospf as an internal route. Say, for instance, that you have a bunch of servers on a network attached to a router. You can either run ospf on the interface the servers are attached to, which then sends ospf hello's onto the network (and will allow the router to build and adjacency with anything that plugs into that server network, which can be a major security problem), or you can redistribute connected, and get the server network into ospf.
It's often better to enable ospf on the interface, and then keep ospf from building adjacencies using passive interface.
:-)
Russ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide