11-12-2008 10:33 PM - edited 03-06-2019 02:27 AM
hi,
If I were to put an access-list deny ip any any, would it block any routing updates as well via the dynamic routing protocols.
Solved! Go to Solution.
11-13-2008 08:07 AM
For OSPF:
access-list 100 permit ospf any any
For EIGRP:
access-list 100 permit eigrp any any
For BGP:
access-list 100 permit tcp any any eq 179
or
access-list 100 permit tcp any eq 179 any
depending on the direction you apply the access-list.
Cheers:
Istvan
11-12-2008 10:37 PM
Yes, definitely.
You should permit the proper routing protocol packets in the access-list if you want them to pass the access-list.
The acl statement permitting the routing protocol should be before the "deny ip any any" statement, of course.
Cheers:
Istvan
11-12-2008 11:19 PM
So if I were to permit routing updates via BGP, OSPF and RIP what would the access-list be like.
Thanks.
11-13-2008 08:07 AM
For OSPF:
access-list 100 permit ospf any any
For EIGRP:
access-list 100 permit eigrp any any
For BGP:
access-list 100 permit tcp any any eq 179
or
access-list 100 permit tcp any eq 179 any
depending on the direction you apply the access-list.
Cheers:
Istvan
11-13-2008 10:25 AM
If the access list is applied inbound then Istvan is correct that an access list would deny the routing protocol packets unless there is a permit statement for them. However if the access list is applied outbound then the access list will not block the routing protocol packets (no matter whether there is a permit statement for them or not).
This is one of the odd things about access lists. An outbound access list does not examine (and will not block) any traffic that is generated by the router itself.
HTH
Rick
11-13-2008 11:08 AM
Hi Rick,
Thank you for your addition.
I really forgot to mention this.
Cheers:
Istvan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide