Yup, Marc is spot on in that outbound ACL's don't affect router generated traffic, hence the reason it isn't being filtered. If you did want to filter the routers OSPF traffic (without using passive interface) you can do so by using a policy-map on the control plane like this:
R1(config)#router ospf 1 R1(config-router)# log-adjacency-changes R1(config-router)# network 0.0.0.0 255.255.255.255 area 0 R2(config)#router ospf 2 R2(config-router)# log-adjacency-changes R2(config-router)# netw 0.0.0.0 0.0.0.0 area 0 *Jul 13 05:09:10.115: %OSPF-5-ADJCHG: Process 2, Nbr 150.10.1.1 on GigabitEthernet0/0 from LOADING to FULL, Loading Done R1(config)#ip access extend acl_no_ospf R1(config-ext-nacl)# permit ospf any any R1(config-ext-nacl)#! R1(config-ext-nacl)#class-map match-all CM_OSPF R1(config-cmap)# match access-group name acl_no_ospf R1(config-cmap)#! R1(config-cmap)#policy-map PM_DROP_OSPF R1(config-pmap)# class CM_OSPF R1(config-pmap-c)# drop R1(config-pmap-c)#! R1(config-pmap-c)#control-plane R1(config-cp)# service-policy output PM_DROP_OSPF R2(config-router)# *Jul 13 05:10:21.067: %OSPF-5-ADJCHG: Process 2, Nbr 150.10.1.1 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired Now from this point on R1 will show ip in INIT/DROTHER but the adjacency is pretty much dead R2#sh ip ospf neighbor gig0/0 <neighbor is gone> R1(config-cp)#do sh ip o ne fa0/1 Neighbor ID Pri State Dead Time Address Interface 150.246.0.2 1 INIT/DROTHER 00:00:31 150.21.21.2 FastEthernet0/1 -----Original Message----- From: marc abel [mailto:[email protected]] Sent: Tuesday, July 12, 2011 8:27 PM To: Alef Cc: Di Bias, Steve; [email protected] IE Subject: Re: [OSL | CCIE_RS] allowing ospf in acl The reason you don't have to allow OSPF out, is that you actually can't block it outbound with an ACL. Outbound acl's don't block packets generated by the router. Check this out. I have configured OSPF between R1 and R2 __________________________________ R2(config)# do show ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/DR 00:00:35 10.10.10.1 Ethernet0/0 R2(config)#do show run int e0/0 Building configuration... Current configuration : 91 bytes ! interface Ethernet0/0 ip address 10.10.10.2 255.255.255.0 ip access-group 101 out end R2(config)#do show access-list 101 Extended IP access list 101 10 deny ospf any any The neighbor stays up. -Marc On Tue, Jul 12, 2011 at 5:49 PM, Alef <[email protected]> wrote: > Hey Steve, > Yes, only ospf. It's a lab from one of the Video on demands, i believe Day > security lab, can't remember what task. I don't have the sim running right > now but the outbound acl permits www, 443 and ssh i think. > > I just found it curious that you only need it one way. I guess once the tcp > session is setup all is exchanged forward within that one session from there > on. > > Alef > > On Jul 12, 2011, at 11:42 PM, Di Bias, Steve wrote: > >> That will work, but is OSPF they only thing you want to let in? What does >> the outbound ACL (102) look like? What lab are you working on? >> >> Thank you, >> >> Steve Di Bias >> Network Engineer - Information Systems Valley Health System - Las >> Vegas Office - 702- 369-7594 Cell - 702-241-1801 >> [email protected] >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Alef >> Sent: Tuesday, July 12, 2011 2:59 PM >> To: [email protected] IE >> Subject: [OSL | CCIE_RS] allowing ospf in acl >> >> When you have say r1 and r2 >> and you want to only allow ospf in >> >> would applying this on R1 fa0/0 (assuming this is the connecting interface >> to R2) inbound be sufficient? >> Extended IP access list 101 >> 10 permit ospf any any (4826 matches) >> >> it seems it is. Do we not need to allow ospf going out as well? In my lab R1 >> has acl 102 outbound defined and there is nothing there about ospf. >> >> Regards, >> Alef >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> UHS Confidentiality Notice: This e-mail message, including any attachments, >> is for the sole use of the intended recipient (s) and may contain >> confidential and privileged information. Any unauthorized review, use, >> disclosure or distribution of this information is prohibited. If this was >> sent to you in error, please notify the sender by reply e-mail and destroy >> all copies of the original message. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > UHS Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient (s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
