Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

dialer-list 'interesting' traffic blocked by i/f acl brings up i/f anyway?

Hi all,

I have been presented with a problem whereby an ISDN router has been dialing overseas on a regular basis (e.g. every 5 minutes).

As an extreme example, consider the following snippet that summarizes this router's behaviour (the router is running IOS 11.3(10)T):

=========================

interface BRI0

ip access-group 110 out

ip access-group 110 in

dialer-group 1

ip route 10.0.0.0 255.0.0.0 BRI0

access-list 110 deny ip any any

dialer-list 1 protocol ip permit

=========================

In this case, dialer-list 1 considers any IP traffic bound for 10.0.0.0/8 to be interesting, and will seek to bring up interface BRI0 to satisfy the request. However, the traffic cannot leave the interface, as it is blocked by access-list 110.

My questions are:

1. Will the interface come up in this case, even though the traffic has no chance of leaving the interface?

2. What sanity checks, if any, are performed by the router to make sure the traffic can leave the interface before bringing the interface up?

3. If the interface does come up, will the interesting traffic be blocked by the ACL, and thus not leave the interface and travel over the link, but the idle-timeout counter on the local router be reset any time interesting traffic is encountered, thus essentially nailing the line up (assuming there is a constant source of interesting traffic)?

4. If this is the case, will the remote router see no IP traffic at all, consider the line idle (assuming IP traffic is also what is considered interesting for this router), idle out the connection, and drop the line?

5. If points 3 and 4 are correct, would it be correct to say that the local router will continue to bring up the line immediately every time it is dropped by the remote router, thus ensuring a never-ending cycle?

6. Is there documentation anywhere that mentions this specific confict situation, and if so, can the URL be provided so that I may have a look?

7. If this is a fault, has this issue been resolved in a particular IOS release? If so, which release?

Sorry for asking so many questions, but the logic for this problem has thrown me in a loop!

Thanks,

Cal.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: dialer-list 'interesting' traffic blocked by i/f acl brings

hi

Lot of question....tried to answer them....

1: Yes the interface will come up. Important is the dialer-list in which you define what is interesting.

2: Depends on if you have an ACL in place, if not everything will be sent out.

3: Every packet traveling over the bri interaface will be checked against the ACL 110 you got in place. ACL 110 as it is above does not allow anything to go out the bri. The interface will stay up as long as there are ip packets going towards 10.0.0.0/8. So in the dialer-list is defined whats interesting.

4: Yes, the remote router will not see any packet.

5: Sort of...as long as there are ip packets to 10.0.0.0/8 the line will come up.

6: What conflict situation. Define a dialer-list in which you define what specifically should bring up the bri.

Like:

dialer-list 1 protocol ip list 110

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

See here a configuration link for ddr:

http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a00800943ad.shtml

Hope that helps you

Regards

Roger

2 REPLIES
Bronze

Re: dialer-list 'interesting' traffic blocked by i/f acl brings

hi

Lot of question....tried to answer them....

1: Yes the interface will come up. Important is the dialer-list in which you define what is interesting.

2: Depends on if you have an ACL in place, if not everything will be sent out.

3: Every packet traveling over the bri interaface will be checked against the ACL 110 you got in place. ACL 110 as it is above does not allow anything to go out the bri. The interface will stay up as long as there are ip packets going towards 10.0.0.0/8. So in the dialer-list is defined whats interesting.

4: Yes, the remote router will not see any packet.

5: Sort of...as long as there are ip packets to 10.0.0.0/8 the line will come up.

6: What conflict situation. Define a dialer-list in which you define what specifically should bring up the bri.

Like:

dialer-list 1 protocol ip list 110

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

See here a configuration link for ddr:

http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a00800943ad.shtml

Hope that helps you

Regards

Roger

New Member

Re: dialer-list 'interesting' traffic blocked by i/f acl brings

Hi Roger,

Thanks for the answer, it explains the situation quite clearly.

The solution was indeed to place a deny statement in the ACL attached to the dialer-list on the customer's router, however I found it amazing that the line was being brought up by traffic that never had a chance of leaving the interface. This reads as faulty logic to me.

My thinking is if a packet is going to ultimately be dropped by an interface ACL (access-group), it should be dropped before the line comes up, not after. I see no point in bringing a potentially expensive ISDN line up for traffic that will never leave the interface! ;-)

Therefore instead of the sequence:

'Incoming packet' > 'Interesting: Yes' > 'Connected: No' > 'Interface available: Yes' > 'Phone #: Yes' > 'Dial' > 'Interface access-group permits: No' > 'Drop',

it would be more logical to apply the interface ACL before making a decision to dial, i.e.:

'Incoming packet' > 'Interesting: Yes' > 'Connected: No' > 'Interface available: Yes' > 'Interface access-group permits: No' > 'Drop'.

My questions were aimed more at illustrating the non-sensical nature of the 1st sequence of events as shown above. :-)

Cheers,

Cal.

255
Views
0
Helpful
2
Replies
CreatePlease to create content