IP-broadcast directed ACL extended

Hi all

I am quite new to fogive ACL if all errors.

I am currently trying to get Wake on LAN in our work to SCCM 2007 environment to wake up computers. I configured ACL to allow packets between VIRTUAL LANs.

I followed the guide CISCO

http://www.Cisco.com/en/us/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml and it works, but I'm afraid I left the security to open.

Firstly I have authorized the server in an ACL entry

allow udp host 192.168.99.x eq 7

Then I allowed fowarding of WOL packets in emissions.

ip forward-protocol udp 7

Then, on the interface VLAN, I got a bit stuck. in the guide it says enter the ACL number after. However, I use the names of ACL and I can not add the name.

IP directed broadcast to the ACLNumber

It WORKS fine if I do not simply the number of ACL, but I fear that it is 'open '.

Any advice greatly appreciated!

Matt

Hey Matt,

By the reference to the order, only numbered ACL can be given as an argument to the command "ip directed broadcast", so you will need to use config like:

access-list 101 permit udp host 192.168.1.x any eq 7

IP broadcast directed to the 101

I did find improvement pending to allow named ACL at the moment.

See you soon,.

/ Phil

Tags: Cisco Network

Similar Questions

What is is it possible to use the acl extended for split tunneling on ASA?

I'm setting up VPN IPSEC RA on SAA and I would like to know if it is possible to use the ACL extended as part of the split tunneling?

Thank you!

Yes, you can use the extended ACL. See this example:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

Kind regards

Averroès.

Multihomed BGP - which will broadcast directly connected networks?

I'm labing in place a script on my site of practical Cisco HSRP, BGP GNS3 and perhaps grow later on network practice as well other protocols.

http://www.Cisco.com/en/us/Tech/tk365/technologies_configuration_example09186a0080093f2c.shtml

Everything is already configured and the installer, except that I don't have interconnection routes announced to any BGP process on routers, still.

Interconnection networks as you can see in the photo are:

192.168.31.0

192.168.42.0

192.168.63.0

192.168.64.0

Obviously I can't source these networks of each router, or use redistribute connected on each router because I would get duplicate routes, so my question is: what routers you use to come from these 4 networks of? I was thinking of using the network control (or maybe even a map of the route) on ISPA for networks 192.168.31.0 and 192.168.63.0 and ISPB for networks 192.168.42.0 and 192.168.64.0.

What is the appropriate method of world real something like that, or there are several ways to do this correctly?

Thanks in advance

Hi Vanjaburic,

Failure RIB is not a problem. You'll see this output normally where BGP route is not able to settle in to the routing table, as a route to higher value AD is already there in the routing table. Here we have a static route.

more information on the failure of BGP RIBS

http://blog.ioshints.info/2007/12/what-is-BGP-rib-failure.html
- The function of failure on the SIDES was introduced in IOS version 12.2 T; before that, the BGP routes with superior remote than other sources of road administration have been ignored in silent mode (like all other routing protocols).
- You can view the BGP routes that are not inserted into the table of IP routing with the commandshow ip bgp ribs-failure , which also explains why the road BGP not was not inserted in the IP routing table.
- BGP which are not used due to the higher administrative distance roads are always announced to all BGP peers (contrary to what most other distance-vector routing protocols do), unless you configure bgp delete-inactive (introducted in 12.0 and 12.2 T (26) S).
Kind regards

Assani

What is the difference between ip direct-broadcast

Hi all

I'm new to the principles of security,

We have a list of access as

refuse icmp any host 192.168.49.255

but do we need that the default case

no ip direct-broadcast enabled?

Thanks in advance

Yous.

These features make the same thing. The access list denies the broadcast to the subnet 192.168.49.xx and broadcasting directed to the No IP also deprives shows to hit the interface of the router. Assuming that the access lists if applies to the same interface as the No IP directed Broadcast, yes they do the same thing. You can remove the ACL statement. It would be the most effective way to streamline your configuration...

Directed broadcasting does not

I am trying to configure broadcasting to another network segment. He has worked in the past, but since modernize us technologies (from unix to Windows platforms), it does not work.

Basically, I want the UDP traffic on port 3000 which comes from the IP 172.20.1.4/16 to be received by the host 192.168.25.107. The two are connected directly to a router in 1941.

I tried many configuration changes, without success. Here is my current setup:

interface GigabitEthernet0/0
IP 172.20.1.1 255.255.0.0
IP broadcast directed to 103
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/1
IP 192.168.250.40 255.255.255.0
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/0/0
IP 192.168.25.1 255.255.255.0
IP access-group 102 to
IP helper 172.20.1.4
IP broadcast directed to 103
IP accounting output-packets
automatic duplex
automatic speed
No cdp enable
!
interface GigabitEthernet0/1/0
IP 192.168.102.1 255.255.255.0
IP access-group 109 to
automatic duplex
automatic speed
No cdp enable
!
IP forward-Protocol ND
IP in avant-protocole udp 3000
!
no ip address of the http server
no ip http secure server
!
Driving IP profile
!
access-list 101 permit tcp 10.2.0.97 host any eq 3310
access-list 101 permit udp host 10.2.0.97 any eq 3310
access-list 101 permit icmp any one
access-list 101 deny ip any one
access-list 102 permit udp 192.168.25.0 0.0.0.255 any eq 3000
access-list 102 permit icmp any one
access-list 102 deny ip any one
access-list 103 allow host 172.20.1.4 udp any eq 3000
access-list 108 allow host 192.168.101.10 udp any eq 3320
access-list 108 allow the host tcp 192.168.101.10 any eq 3320
access-list 108 allow icmp a whole
108 refuse a whole ip access-list
access-list 109 allow host 192.168.102.10 udp any eq 3320
access-list 109 allow the host tcp 192.168.102.10 any eq 3320
access-list 109 allow icmp a whole
109 refuse a whole ip access-list
access ip-list 120 allow a whole
access-list 122 allow udp 192.168.25.0 0.0.0.255 any eq 3000
access-list 122 allow icmp a whole
access-list 123 permit udp host 172.20.1.4 any eq 3000
access-list 133 allow host ip 172.20.1.4 192.168.25.0 0.0.0.255
not run cdp
!
!
!
control plan
!
!
!
!
end

Any ideas?

You're definitely on the right track, and most of your config is ok. To support what you are trying to do with directed broadcast, you need three things in your config:

(1) you need the ip forward-Protocol udp 3000

(2) you need the IP helper to pass emissions

(3) you need the ip directed broadcast to allow the transfer of emissions.

The biggest problem is that your support address is on the wrong interface and it specifies the wrong address. Support address is configured on the interface where the emissions will be from. In your case, it would be Gig0/0 and not Gig0/0/0. Support address also specifies when the broadcast would be passed and in your case, that would be 192.168.25.255. If solve you the problem, then directed broadcast should work.

I see you have some ip directed broadcast to the configured Gig0/0. You don't need it there. It does no harm to have it, but it isn't good either. directed broadcast is needed only on interfaces that will receive the directed broadcast and must transfer the package as a local broadcast.

HTH

Rick

Extended ACL problem

I have a question, I am doing an ACL extended to deny HTTP, Telnet, and FTP internet traffic to PC1 in an exercise that I do.

I did the ACL following and applied to the loopback interface on R2 (where the ISP is the 'cloud') PC1 is connected to R1 that is obviously connected to R2.

IP-access-list scope ACL_TCP

TCP 209.165.200.160 refuse 0.0.0.31 10.0.0.0 0.0.0.127 put in place

allow tcp any a Workbench

Is there a better way to do it? This ACL scope works for my purpose?

Tell R2 address is 192.168.1.2, and you only want to allow this address. You create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 allow host 192.168.1.2

You can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

named extended ACL doesn't work, can you help me?

The camera I used is 2651xm router and NAT is used to connect my everything inside the LAN (192.168.1.x) to outside internet. A standard ACL was used to block some local host access outside the internet, and it worked fine. My question is, when I created a named ACL extended and apply it to the interface that is attached to the LAN, entire local network will not be able to access the internet outside! can you give me some advice?

My hardware and software is 2651xm + IOS 12.3(6b)

The best regards.

Jan

Hi Jan,

I think the problem here is that you are confusing the use of an access list to control the SENATE, with the use of an access list to filter traffic.

Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 of overload. This means that you still need to access list 1 to define which source addresses are translated. You could, I guess, use a named access list to do this, and the order would be something like ip nat inside source list of people inside outside pool cisco2651-natpool-168 overload, where the people inside of the country is the name of a standard named access list. But no matter how you play, you still need to access list. Try to put back the access list 1, and you will see that it will start working again. Note that the access list used to control NAT must be a-list type , named or numbered, not a scope.

On the other hand, you used the named acl test scope list to filter your traffic, and that's fine. OK, the list is wide open at the moment, but I guess you want to restrict later.

I hope this helps. Write back and let us know how you go.

Kevin Dorrell

Luxembourg

What possible sense to apply ACLs

Hello

I'm adding ACL to lock the LAN environment and my heart is a 4510 + R. I want to block port 80, 443 and 8080 to enter the network. My security guy tells me users use ports 80, 443 and 8080 to exit and return web services use other ports. I want to use an access list extended to people like:

NO_HTTP extended IP access list

TCP refuse any any eq 80
TCP refuse any any eq 443
TCP refuse any any eq 8080
allow an ip

My confusion is: which direction on my SVI enforce this ACL if I want users to be able to access websites but block incoming traffic on 80, 443 and 8080? All the information that I have read says to apply ACLs extended as close to the source as possible. With a SVI, which resembles a box gray?

Any kind of clarification on this would be helpful and appreciated.

Thank you very much in advance,

Kiley

I think you should apply the OUT access list from the perspective of the SVI. Is means that traffic will be the process of access list after having routed out of the interface in other words the origin of packages outside GOES OUT to your local network.

In/Out ACL by VPN on SAA

Is it possible to do it on an ASA? I don't understand how a router can do a better job with control of asymmetric flow as an ASA.

168 VPN ipsec-isakmp crypto map
LongRidge-CareOne-CUST Site-to-Site Description
defined by peer 108.170.125.242
ip access-group VPNCryptoMap168_in-ACL set in
ip access-group VPNCryptoMap168_out-ACL set on
game of transformation-AES256_SHA
match address VPNCryptoMap168-ACL

IP VPNCryptoMap168-ACL extended access list
Note CUST-CareOne-LongRidge VPN Site-to-Site
IP 10.61.0.0 allow 0.0.255.255 172.18.61.0 0.0.0.255
IP VPNCryptoMap168_in-ACL extended access list
Note CUST-CareOne-LongRidge VPN Site-to-Site
allow any object-group CareOne_Somerset_restrict-og-response to icmp echo
allow any host eq snmp 10.61.23.101 udp
allow any host 10.61.23.101 eq tftp udp
allow tcp any a Workbench
allow any host 10.61.202.88 eq www lpd 5357 5800 and 5900 tcp telnet
IP VPNCryptoMap168_out-ACL extended access list
Note CUST-CareOne-LongRidge VPN Site-to-Site
object-group CareOne_Somerset_restrict-og ip permit any

Unfortunately, the "vpn-filter option" under the group policy on the Cisco ASA applies only the VPN filter in the incoming direction and automatically configures the outbound direction. Refer to this link. There is an improvement that has been opened to support VPN filters in each direction, but it is not yet applied.

The only way I see is to modify the default behavior and configure ASA to submit VPN traffic to ACL interface using the command of not sysopt connection VPN-enabled and then configure ACL interface accordingly. I don't know if it's worth to you.

Remove the ACL

Hello

I participate in an exercise of Packet Tracer.

I have to remove a 110 ACL extended a router (R1):

I type: R1 #(config) no access-list 110

Now the network devices warks as I want, but the output of "R1 #show running-config' always to show me the 110 ACL extended. Why?

Thank you

I don't see the ACL in the configuration.

You use access-list 101 only under int S0/0/0 you want to delete this?

You can then tap

conf t

int s0/0/0

no out ip-group 101 access

end

So in fact, the ACL is gone (or removed from the configuration), but orders referring to the ACL (ie. ip access-group under interface or under SNMP community ACL or ACL under VTY) is still intact. You must remove them manually.

PIX and ACS ACL downloadable Question

Good day to all,

I'm just working on a project to test using a PIX 535 and a cisco ACS (we use RADIUS) and I need to know what order the pix acl is applied.

On the pix, we have a set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). It works well, but now we have a problem, can you use rules ACSACL to remove the default rights within the rules on the pix?

Basically I'm curious to know what order the parsed pix ACLs, (ACSACL and then pix ACL, pix ACL the ACSACL, or none of the above)

all the links on more information would be great.

Thanks for any information,

Brian

I did some tests with ACL applied by a Radius Server on a PIX 525 6.3.3 running.

In my particular case, the user is a remote VPN connection. I ACL applied on the external interface, and then on the shelf, I applied the specific user against another ACL.

The ACL on the external interface is applied first. The downloadable ACLs cannot add services that are not listed in the other ACL, however, it can refuse and remove services.

You use your ACL in a different way that I like it. I use a server Radius of third parties and the use of the ACL extended via the Id attribute of the filter.

See you soon,.

-Joshua

Interpritation of confusion of ACL/outbound router...

I am just to finish my semester CCNA4 trying to do my best on our final class project, but I have problems to understand a simple fact on ACL...

OK, so first of all, I want to warn all except HTTP traffic (80) in my network, so that I can make an ACL extended in the sense of "access-list 101 ip allow any host 172.1.1.1 eq 80" then "access-list 101 deny ip any any" right? This allows port 80 traffic to the http server and prevents any other inbound traffic. Now the part that I don't seem to understand is any traffic coming from my network will be broken it's back to the router wouldn't it?

Hello

Extended access lists are not stateful.

A dynamic filter records the details of connections passing through it and save them in a table of State. Traffic that comes back through the router will be checked against the state table and allowed the source if it has a football game.

Reflexive lists are stateful and CBAC is dynamic, you can use for filtering of TCP and UDP connections.

In your scenario, you are correct in your statement about the established keyword, you will need to allow TCP traffic for return

If you need more flexibility than that, take a look at the reflexive access lists, they are not that hard to set up, the following link should explain enough many of your questions

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#1000942

HTH

Paddy

Question about ACL's with the 2621 when using site to site VPN

I set up two site to site vpn. We have an ASA at our headquarters and branches will IOS routers - one is a 1811 and the other 2621. Both are running the latest versions of IOS, respectively. The two VPN site-to-site do not work. I have a list of inbound on the external interfaces of both routers, access that allows only the IP address of the ASA IP traffic. All other traffic is denied. I put NAT overload upward in the typical form, and I use ip outgoing inspection on the same interface, to allow incoming traffic back to surfing the internet. This configuration works very well with the 1811, where all traffic is blocked except traffic IP (IPSEC) coming from the ASA. Guests at our headquarters can reach hosts behind the 1811 and vice versa.

Here's my problem: the 2621 is processing traffic encapsulated on the external interface and block this traffic because it does not match. I know because when I turn on logging / debugging on the 2621, I see inbound traffic blocked by the ACL. Technically, I guess that it does not, but to this interface, the traffic is always encapsulated so I think it fits to this access list and then go to the Cryptography decapsulation card and be sent to the destination host. Just as it does on the 1811. I have not 'wan' t to create another line in the access list for all subnets to Headquarters. Why is not it works the same way as it does on the 1811? Is there something else I need to activate?

------------------------------------------------------------------------

Config of 1811:

!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
hostname BranchVPN1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
!
AAA new-model
!
!
AAA authentication login default local
activate the default AAA authentication no
authorization AAA console
AAA authorization exec default local
!
AAA - the id of the joint session
no ip source route
IP cef
!
!
IP inspect the audit trail
inspect the IP dns-timeout 10
inspect the name IP internet udp timeout 30
inspect the name IP internet tcp timeout 30
inspect the name IP internet ftp timeout 30
inspect the name IP internet http timeout 30
inspect the name firewall tcp IP
inspect the name IP firewall udp
inspect the name IP firewall icmp
IP inspect the dns name of the firewall
inspect the name IP firewall ftp
inspect the name IP firewall http
inspect the name IP firewall https
inspect the IP firewall name ftps
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
IP domain name xxxx
!
!
!
!
username xxxxxxxxxx
!
!
!
class-map correspondence vpn_traffic
police name of group-access game
!
!
VPN policy-map
class vpn_traffic
in line-action police 2000000 37500 pass drop exceeds-action
!
!
!
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key address xxxx xxxxxx
ISAKMP crypto keepalive 10
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
!
xxmap 10 ipsec-isakmp crypto map
defined peer xxxx
Set transform-set xxtransform
PFS group2 Set
match the address tunnelnetworks
static inverse-road
!
!
!
interface Loopback0
172.16.99.1 the IP 255.255.255.255
!
interface FastEthernet0/0
Description Connection to Internet (DHCP)
DHCP IP address
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
xxmap card crypto
!
interface FastEthernet0/1
Description of the connection to the local network
address 172.20.1.1 IP 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
VPN service-policy input
!
interface Serial0/0/0
no ip address
Shutdown
No cdp enable
!
interface Serial0/1/0
no ip address
Shutdown
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 dhcp
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP nat inside source list nat - acl interface FastEthernet0/0 overload
!
IP nat - acl extended access list
refuse any 10.0.0.0 0.255.255.255 ip
allow an ip
outside_in extended IP access list
allow udp any eq bootps host 255.255.255.255 eq bootpc
allow an ip host (ASA IPADDR)
deny ip any any newspaper
IP extended access list police
deny ip host xxxx any
deny ip any host xxxx
IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
tunnelnetworks extended IP access list
permit host 172.16.99.1 ip 10.0.0.0 0.255.255.255
IP 172.20.1.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
!
recording of debug trap
logging source-interface Loopback0
exploitation forest xxxx
access-list 160 note t is
not run cdp
!
!
control plan
!
Banner motd ^ CC

Authorized technician!

^ C
!
Line con 0
line to 0
line vty 0 4
exec-timeout 5 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 5 0
Synchronous recording
entry ssh transport
!
Scheduler allocate 20000 1000
end

------------------------------------------------------------------------

2621 Config:

!
version 12.3
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
hostname BranchVPN2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
no console logging
!
AAA new-model
!
!
AAA authentication login default local
activate the default AAA authentication no
authorization AAA console
AAA authorization exec default local
AAA - the id of the joint session
IP subnet zero
no ip source route
IP cef
!
!
IP domain name xxxx
!
IP inspect the audit trail
inspect the IP dns-timeout 10
inspect the name IP internet udp timeout 30
inspect the name IP internet tcp timeout 30
inspect the name IP internet ftp timeout 30
inspect the name IP internet http timeout 30
inspect the name firewall tcp IP
inspect the name IP firewall udp
inspect the name IP firewall icmp
inspect the name IP firewall ftp
inspect the name IP firewall http
Max-events of po verification IP 100
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxxxxxxxx
!
!
!
class-map correspondence vpn_traffic
police name of group-access game
!
!
VPN policy-map
class vpn_traffic
in line-action police 2000000 37500 pass drop exceeds-action
!
!
!
crypto ISAKMP policy 10
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key address xxxx xxxxx
ISAKMP crypto keepalive 10
!
life crypto ipsec security association seconds 28800
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac xxtransform
!
xxmap 10 ipsec-isakmp crypto map
defined peer xxxx
Set transform-set xxtransform
PFS group2 Set
match the address tunnelnetworks
reverse-road remote-peer
!
!
!
!
interface Loopback0
172.16.99.2 the IP 255.255.255.255
!
interface FastEthernet0/0
Description Connection to Internet (DHCP)
DHCP IP address
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the firewall on IP
automatic duplex
automatic speed
No cdp enable
xxmap card crypto
!
interface Serial0/0
no ip address
Shutdown
No cdp enable
!
interface FastEthernet0/1
Description of the connection to the local network
IP 172.20.2.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
No cdp enable
VPN service-policy input
!
interface Serial0/1
no ip address
Shutdown
No cdp enable
!
IP nat inside source list nat - acl interface FastEthernet0/0 overload
no ip address of the http server
local IP http authentication
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 dhcp
!
!
!
IP nat - acl extended access list
refuse any 10.0.0.0 0.255.255.255 ip
allow an ip
outside_in extended IP access list
allow udp any eq bootps host 255.255.255.255 eq bootpc
allow an ip host (ASA IPADDR)
deny ip any any newspaper
IP extended access list police
deny ip host xxxx any
deny ip any host xxxx
IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
tunnelnetworks extended IP access list
permit host 172.16.99.2 ip 10.0.0.0 0.255.255.255
IP 172.20.2.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
recording of debug trap
logging source-interface Loopback0
exploitation forest xxxx
not run cdp
!
!
!
!
!
Banner motd ^ CCC

Authorized technician!

^ C
!
Line con 0
line to 0
line vty 0 4
exec-timeout 5 0
Synchronous recording
entry ssh transport
line vty 5 15
exec-timeout 5 0
Synchronous recording
entry ssh transport
!
!
end

Please check if this helps:

http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_crpks.html

Federico.

Extended as a 'Standalone' Application search

Hi guys,.
is there a way to start "Extended Search" in Adobe Reader-work as a 'standalone '?
I am trying to create a way for a customer create a shortcut on his desktop to open directly the 'extended search' (Ctrl + Shift + F) without having to open a document first.
I tried to do this using the parameters of start - unfortunately you have to submit a document also - so this isn't an option.
Thanks in advance for your help.

I have now acquired a similar request from myself.

PPL interested can contact me at any time.

Site talk multihomed won't neighborships EIGRP on both lines

Hi all

This problem has been stripping my cabbage for about a week now. I have a lot of sites spoke on the seat. We have two routers in hub acting as primary and backup for all sites, a 13Mb SDSL and a 2 MB SDSL respectively. Exclusively use the GRE and IPSEC tunnels on (most) tunnels. All websites spoke (except one) are connecting using the standard ADSL.

I have a site that has a very bad connection to improve things for them, I try to use two ADSL connections and balance their.

To keep things simple, I try only to enable connections to our main router at this time and I do not use IPSEC, but either.

Here is the problem.

I get only a close relationship, forming a tunnel at the same time. If I stopped this tunnel, the other neighbor is shaping up and I can re - turn on the first tunnel, but it will not form a new neighbourhood.

The info that tells me more about what goes wrong is the following:

SH ip strategy nei

Neighbors of the EIGRP intellectual property for process 6001

H address Interface Hold Uptime SRTT RTO Q Seq

(s) (ms) NTC Num

1 172.20.64.1 Tu0 13 00:00:01 1 2000 2-0

0 172.20.65.1 Tu2 11 18:41:07 55 390 0 752649

The number of queue for the tunnel where the neighborhood is trying to shape and fault is always 2. No Hellos are received at the end. Hellos are received from the other end and, in fact, the neighborhood to do, but then it gets expired after receipt without Hellos. OTN goes to 5000 and then after the retry timer is sinking, the relationship fell, a new Hello is received and the relationship is recalculated. This causes my hell EIGRP as you can imagine.

Ive applied lists to distribute to the tunnels and tried to use static routes. I also tried statically assigning the neighbors with the neighbor command. No dice.

The two ADSL connections have the same IP next - hop to the ISP. This would prevent neighbors forming?

I downloaded the relevant parts of the config and the routing table also the router (cleaned). For completeness, Ive included all distribution-list commands that Ive tried but Ive used in combination and all together, as well as without them at all.

Your help will be greatly appreciated.

Your slow-going-mad network administrator,

Paul

Paul,

When you add these commands to key tunnel , could you at least check that the tunnels will work, i.e. were you able to ping to the opposite tunnel address?

I don't think that you can debug the EIGRP queue directly. You can debug are packages individual EIGRP, i.e. broadcasts of update, Ack, request, response, and EIGRP. It would be eigrp packets laconic retry to debug

If you're ready to make debugging more involved, I would suggest creating an ACL extended with entries of the corresponding permit GRE traffic between your router and the router of the headquarters in a sense is and EIGRP traffic on this tunnel and execution to debug the package ip N where N is the number of this ACL. Please note that if these GRE tunnels are currently all traffic beyond EIGRP, this debugging is not recommended because there is a LOT of output.

I wonder... is - this by all possible means that some of the addresses of the tunnel endpoint (i.e. tunnel source and tunnel destination) are advertised to EIGRP through these tunnels? This would cause a recursive routing entry, enough like the beat you are currently experiencing. How is the accessibility of endpoints tunnel completed in your routing table - is it via a default route? In order to foolproofness, I suggest you add static/32 routes for both routers (talks and head of bed) that contains the IP address of endpoint opposite tunnel, via the appropriate next hop.

Strange problem indeed!

Best regards

Peter

IP-broadcast directed ACL extended

Similar Questions

Maybe you are looking for