Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why are OSPF hellos not blocked by the ACL?

Hello,

I have an access-list permitting only Radius traffic out the ethernet:

access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1645

access-list 101 permit udp any range 1024 49151 host 10.0.0.254 eq 1812

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip access-group 101 out

no ip mroute-cache

speed auto

half-duplex

no cdp enable

Ospf is enable :

router ospf 1

network 10.0.0.1 0.0.0.0 area 2

But OSPF is still building neighborship on the fastethernet. How come?

Thanks for your help, Laurent

11 REPLIES

Re: Why are OSPF hellos not blocked by the ACL?

Are you determining that its building neighbor relationships by looking at this router or other ones? If so, I'm hazarding a guess that your router is receiving OSPF hello's from the other routers (your ACL is outbound only) and trying to build the relationships.

Two things I'd do is:

1) Put in an actual "deny" statement and log it so you can see what traffic is denied.

2) Check the other routers that are its "neighbors" and make sure that they see the traffic.

VIP Purple

Re: Why are OSPF hellos not blocked by the ACL?

Hello Laurent.

Craig is right, and I tested this scenario: if you configure the access-list to work inbound, it will kill your OSPF neighbor relationships.

interface FastEthernet0/0

ip address 10.0.0.1 255.0.0.0

ip access-group 101 in

no ip mroute-cache

speed auto

half-duplex

no cdp enable

Regards,

GP

Cisco Employee

Re: Why are OSPF hellos not blocked by the ACL?

This is normal behavior. Packets originating from the router are not subjected to an outbound ACL.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Why are OSPF hellos not blocked by the ACL?

thanks a lot for your reply.As you say, packets originating from the router are not subjected to an outbound ACL.

Regards, Laurent

New Member

Re: Why are OSPF hellos not blocked by the ACL?

hi hritter,

What other situation is there where a packet is not subjected to an ACL?

Thanks

Cisco Employee

Re: Why are OSPF hellos not blocked by the ACL?

This is the only condition under which packets are not subjected to the ACL.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Green

Re: Why are OSPF hellos not blocked by the ACL?

I'm not sure, this is strictly a guess on my part;

The OSPF updates are multicast traffic and possibly not subject to the ACLs?

And / or once enabled, the OSPF updates are implicitly enabled, regardless of the ACLs, since it would be (at least on the surface) "stupid" to enable a dynamic routing protocol, then cut it off at the knees with an ACL. So Cisco (perhaps) decided that if you enable OSPF (or other routing protocol), you probably want that traffic passed without screwing with adjusting an access list to do so.

If you create and apply a null access-list, routing updates still make it through, right? The invisible "deny all" at the end doesn't block the routing table updates, does it?

Again, I'm not sure and don't have time to play with it anytime soon in the Lab, but these would be my first two guesses off the top of my head.

FWIW

Scott

Re: Why are OSPF hellos not blocked by the ACL?

I can definitely say that is not the case. Routing traffic is definitely affected by ACL's and you must be careful to construct your ACL's to allow them through if that is desired.

Cisco Employee

Re: Why are OSPF hellos not blocked by the ACL?

This only applies in the context of inbound ACL, not outbound.

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: Why are OSPF hellos not blocked by the ACL?

Hi,

This may be a stupid question but if you don't want to form adjacencies on the f0/0 interface then why enable OSPF on that interface? e.g.

Router OSPF 1

network 10.0.0.1 0.0.0.0 area2

??

Gold

Re: Why are OSPF hellos not blocked by the ACL?

To get the network configured on that interface into ospf as an internal route. Say, for instance, that you have a bunch of servers on a network attached to a router. You can either run ospf on the interface the servers are attached to, which then sends ospf hello's onto the network (and will allow the router to build and adjacency with anything that plugs into that server network, which can be a major security problem), or you can redistribute connected, and get the server network into ospf.

It's often better to enable ospf on the interface, and then keep ospf from building adjacencies using passive interface.

:-)

Russ

653
Views
25
Helpful
11
Replies
CreatePlease to create content