cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4882
Views
35
Helpful
12
Replies

Why are OSPF hellos not blocked by the ACL?

l.metzger
Level 1
Level 1

Hello,

I have an access-list permitting only Radius traffic out the ethernet:

access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1645

access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1812

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip access-group 101 out

no ip mroute-cache

speed auto

half-duplex

no cdp enable

Ospf is enable :

router ospf 1

network 10.0.0.1 0.0.0.0 area 2

But OSPF is still building neighborship on the fastethernet. How come?

Thanks for your help, Laurent

12 Replies 12

Craig Norborg
Level 4
Level 4

Are you determining that its building neighbor relationships by looking at this router or other ones? If so, I'm hazarding a guess that your router is receiving OSPF hello's from the other routers (your ACL is outbound only) and trying to build the relationships.

Two things I'd do is:

1) Put in an actual "deny" statement and log it so you can see what traffic is denied.

2) Check the other routers that are its "neighbors" and make sure that they see the traffic.

Hello Laurent.

Craig is right, and I tested this scenario: if you configure the access-list to work inbound, it will kill your OSPF neighbor relationships.

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip access-group 101 in

no ip mroute-cache

speed auto

half-duplex

no cdp enable

Regards,

GP

Harold Ritter
Cisco Employee
Cisco Employee

This is normal behavior. Packets originating from the router are not subjected to an outbound ACL.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

thanks a lot for your reply.As you say, packets originating from the router are not subjected to an outbound ACL.

Regards, Laurent

hi hritter,

What other situation is there where a packet is not subjected to an ACL?

Thanks

This is the only condition under which packets are not subjected to the ACL.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Is this for situations in which you don't want to end your acl with a permit ip any any? Thanks 

scottmac
Level 10
Level 10

I'm not sure, this is strictly a guess on my part;

The OSPF updates are multicast traffic and possibly not subject to the ACLs?

And / or once enabled, the OSPF updates are implicitly enabled, regardless of the ACLs, since it would be (at least on the surface) "stupid" to enable a dynamic routing protocol, then cut it off at the knees with an ACL. So Cisco (perhaps) decided that if you enable OSPF (or other routing protocol), you probably want that traffic passed without screwing with adjusting an access list to do so.

If you create and apply a null access-list, routing updates still make it through, right? The invisible "deny all" at the end doesn't block the routing table updates, does it?

Again, I'm not sure and don't have time to play with it anytime soon in the Lab, but these would be my first two guesses off the top of my head.

FWIW

Scott

I can definitely say that is not the case. Routing traffic is definitely affected by ACL's and you must be careful to construct your ACL's to allow them through if that is desired.

This only applies in the context of inbound ACL, not outbound.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

terry.knight
Level 1
Level 1

Hi,

This may be a stupid question but if you don't want to form adjacencies on the f0/0 interface then why enable OSPF on that interface? e.g.

Router OSPF 1

network 10.0.0.1 0.0.0.0 area2

??

To get the network configured on that interface into ospf as an internal route. Say, for instance, that you have a bunch of servers on a network attached to a router. You can either run ospf on the interface the servers are attached to, which then sends ospf hello's onto the network (and will allow the router to build and adjacency with anything that plugs into that server network, which can be a major security problem), or you can redistribute connected, and get the server network into ospf.

It's often better to enable ospf on the interface, and then keep ospf from building adjacencies using passive interface.

:-)

Russ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: