Re: CBAC and Local Policy : Why OSPF neighbor relation dead ?

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Feb 12 2009 - 23:35:54 ARST

Yes Sir,

They were two issues,

Regards

  ----- Original Message -----
  From: Sadiq Yakasai
  To: Edouard Zorrilla
  Cc: paul cosgrove ; security@groupstudy.com ; ccielab@groupstudy.com
  Sent: Thursday, February 12, 2009 4:21 PM
  Subject: Re: CBAC and Local Policy : Why OSPF neighbor relation dead ?

  Nice one buddy!

  So, in total, there were 2 issues here, right?

  1) Outbound ACL when doing local-policy
  2) TTL check when doing local-policy.

  On Thu, Feb 12, 2009 at 8:46 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
wrote:

    Good, it works :

    Excluding OSPF from the local routing policy:

    My route-map adding "match ip address 122":

    Rack1R4#sh run | sec route-map

    ip local policy route-map POL-LOCAL

    route-map POL-LOCAL permit 10

     match ip address 122
     set interface Loopback0
    Rack1R4#

    So ACL 122 is like:

    Rack1R4#sh ip access-lists 122
    Extended IP access list 122
       10 deny ospf any any (24 matches)
       20 permit ip any any (1 match)
    Rack1R4#

    And then :

    Rack1R6#
    000147: *Feb 12 21:34:55.944: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
    GigabitEthernet0/0 from EXSTART to DOWN, Neighbor Down: Too many
    retransmissions
    Rack1R6#
    Rack1R6#

    Rack1R6#sh ip ospf neighbor
    Neighbor ID Pri State Dead Time Address
Interface

    150.1.4.4 1 DOWN/DROTHER - 183.1.46.4
    GigabitEthernet0/0
    Rack1R6#
    000148: *Feb 12 21:35:55.944: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on

    GigabitEthernet0/0 from DOWN to DOWN, Neighbor Down: Ignore timer expired

    000149: *Feb 12 21:35:55.948: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4 on
    GigabitEthernet0/0 from LOADING to FULL, Loading Done
    Rack1R6#

    Neighbor ID Pri State Dead Time Address
Interface

    150.1.4.4 1 FULL/DROTHER 00:00:37 183.1.46.4
    GigabitEthernet0/0
    Rack1R6#
    000150: *Feb 12 21:36:02.160: %BGP-5-ADJCHANGE: neighbor 183.1.0.3 Up
    Rack1R6#

    OSPF relationship goes up.

    Thanks to everydoby,

    Regards

     ----- Original Message -----
     From: paul cosgrove
     To: Edouard Zorrilla
     Cc: security@groupstudy.com ; ccielab@groupstudy.com
     Sent: Thursday, February 12, 2009 2:42 PM
     Subject: Re: CBAC and Local Policy : Why OSPF neighbor relation dead ?

     Hi Edouard,

     Exclude OSPF from your policy routing. The packets will have a TTL of 1
and
    so it looks like they are being dropped when returning on the loopback.
Even
    if the TTL was higher, your outbound ACL does not permit OSPF.

     Paul.

     On Thu, Feb 12, 2009 at 6:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
    wrote:

       Just doing a lab and I run into this issue.

       My topology:

       R4(Gi0/0)---ethernet --- (Gi0/0)R6

       Rack1R4#sh run int gi0/0
       Building configuration...

       Current configuration : 232 bytes
       !
       interface GigabitEthernet0/0
        description Connected-to-SW1-Fa0/4
        ip address 183.1.46.4 255.255.255.0
        ip access-group inbound in
        ip access-group outbound out
        ip ospf message-digest-key 1 md5 CISCO
        duplex auto
        speed auto
       end

       Rack1R4#

       Rack1R4#sh ip access-lists outbound
       Extended IP access list outbound
          11 permit icmp any any reflect acl-ccie (113 matches)
          12 permit udp any any reflect acl-ccie (33 matches)
          20 permit tcp any any reflect acl-ccie (624 matches)
          30 deny ip any any log
       Rack1R4#

       Rack1R4#sh ip access-lists inbound
       Extended IP access list inbound
          9 permit icmp any any port-unreachable
          10 permit ospf any any (1258 matches)
          11 permit icmp any any time-exceeded (149 matches)
          12 permit icmp any any unreachable (14 matches)
          13 permit icmp any host 183.1.46.4 echo-reply (30 matches)
          20 evaluate acl-ccie
          30 deny ip any any log (31 matches)
       Rack1R4#

       It works fine, but If I need to push traffic out from the router R4
and
    also
       need the Reflexive ACL to not drop the traffic that I originate from
the
       router, like this one:

       Rack1R4#telnet 183.1.46.6
       Trying 183.1.46.6 ...
       Feb 12 18:23:37.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
       183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
       Feb 12 18:23:39.857: %SEC-6-IPACCESSLOGP: list inbound denied tcp
       183.1.46.6(23) -> 183.1.46.4(64178), 1 packet
       % Connection reset by user
       Rack1R4

       Then I need to set a local policy pointing to any loopback (another
    option
       could be adding more acls inside inbound access-list), in that way I
make
    my
       traffic Flow Throw through the router, and not to be originated from
the
       router itself. Good so far.

       Then in R4:

       Rack1R4#
       route-map POL-LOCAL permit 10
        set interface Loopback0

       and

       Rack1R4(config)#ip local policy route-map POL-LOCAL

       Then in R4 I can telnet R6:

       Rack1R4#telnet 183.1.46.6
       Trying 183.1.46.6 ... Open
       User Access Verification

       Password:
       Rack1R6>

       But OSPF dies:
       -------------

       Rack1R4#sh ip ospf neighbor

       Neighbor ID Pri State Dead Time Address
    Interface
       150.1.6.6 1 FULL/DR 00:00:38 183.1.46.6
       GigabitEthernet0/0
       150.1.5.5 0 FULL/ - 00:00:32 183.1.45.5
    Serial0/2/0
       150.1.5.5 0 FULL/ - 00:01:39 183.1.0.5
       Serial0/3/0.345
       Rack1R4#

       and

       Rack1R6#sh ip ospf neighbor

       Neighbor ID Pri State Dead Time Address
    Interface
       150.1.4.4 1 FULL/BDR 00:00:37 183.1.46.4
       GigabitEthernet0/0
       Rack1R6#

       In R6 I perform:
       ---------------------------------

       Rack1R6#clear ip ospf process
       Reset ALL OSPF processes? [no]: yes
       Rack1R6#
       Rack1R6#
       000119: *Feb 12 19:33:56.213: %OSPF-5-ADJCHG: Process 1, Nbr 150.1.4.4
on
       GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or
       detached
       Rack1R6#sh ip ospf neighbor

       Neighbor ID Pri State Dead Time Address
    Interface
       150.1.4.4 1 EXSTART/DR 00:00:33 183.1.46.4
       GigabitEthernet0/0
       Rack1R6#

       Rack1R4#sh ip ospf neighbor

       Neighbor ID Pri State Dead Time Address
    Interface
       150.1.6.6 1 EXCHANGE/BDR 00:00:39 183.1.46.6
       GigabitEthernet0/0
       150.1.5.5 0 FULL/ - 00:00:39 183.1.45.5
    Serial0/2/0
       150.1.5.5 0 EXCHANGE/ - 00:01:59 183.1.0.5
       Serial0/3/0.345
       Rack1R4#

       Why OSPF neighbord relationship dead when I add local policy routing ?
Any
    one
       one an idea ?

       Regards

       Blogs and organic groups at http://www.ccie.net

       ______________________________________________________________________
_
       Subscription information may be found at:
       http://www.groupstudy.com/list/CCIELab.html

    Blogs and organic groups at http://www.ccie.net

    _______________________________________________________________________
    Subscription information may be found at:
    http://www.groupstudy.com/list/CCIELab.html

  --
  CCIE #19963

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST