The reason you don't have to allow OSPF out, is that you actually
can't block it outbound with an ACL. Outbound acl's don't block
packets generated by the router.
Check this out. I have configured OSPF between R1 and R2
__________________________________
R2(config)# do show ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:00:35 10.10.10.1 Ethernet0/0
R2(config)#do show run int e0/0
Building configuration...
Current configuration : 91 bytes
!
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0
ip access-group 101 out
end
R2(config)#do show access-list 101
Extended IP access list 101
10 deny ospf any any
The neighbor stays up.
-Marc
On Tue, Jul 12, 2011 at 5:49 PM, Alef <[email protected]> wrote:
> Hey Steve,
> Yes, only ospf. It's a lab from one of the Video on demands, i believe Day
> security lab, can't remember what task. I don't have the sim running right
> now but the outbound acl permits www, 443 and ssh i think.
>
> I just found it curious that you only need it one way. I guess once the tcp
> session is setup all is exchanged forward within that one session from there
> on.
>
> Alef
>
> On Jul 12, 2011, at 11:42 PM, Di Bias, Steve wrote:
>
>> That will work, but is OSPF they only thing you want to let in? What does
>> the outbound ACL (102) look like? What lab are you working on?
>>
>> Thank you,
>>
>> Steve Di Bias
>> Network Engineer - Information Systems
>> Valley Health System - Las Vegas
>> Office - 702- 369-7594
>> Cell - 702-241-1801
>> [email protected]
>>
>> -----Original Message-----
>> From: [email protected]
>> [mailto:[email protected]] On Behalf Of Alef
>> Sent: Tuesday, July 12, 2011 2:59 PM
>> To: [email protected] IE
>> Subject: [OSL | CCIE_RS] allowing ospf in acl
>>
>> When you have say r1 and r2
>> and you want to only allow ospf in
>>
>> would applying this on R1 fa0/0 (assuming this is the connecting interface
>> to R2) inbound be sufficient?
>> Extended IP access list 101
>> 10 permit ospf any any (4826 matches)
>>
>> it seems it is. Do we not need to allow ospf going out as well? In my lab R1
>> has acl 102 outbound defined and there is nothing there about ospf.
>>
>> Regards,
>> Alef
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>>
>> UHS Confidentiality Notice: This e-mail message, including any attachments,
>> is for the sole use of the intended recipient (s) and may contain
>> confidential and privileged information. Any unauthorized review, use,
>> disclosure or distribution of this information is prohibited. If this was
>> sent to you in error, please notify the sender by reply e-mail and destroy
>> all copies of the original message.
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
