Yes, I reloaded the router and it started to work. And I have no idea why. ;)
I first created the policy-maps with only a class-default with action drop. That killed everything of course. So I added the class "OSPF" afterwards and as far as I know class-default will always be the last one, and the newly created class was inserted above class class-default. At least that how it looks in the config. But can it be this that causes my problem? Also, modifying the acl for a class-map while it is in use shouldnt confuse the router, right? /Jimmy 2010/8/23 Yogesh Gawankar <[email protected]> > JImmy > > Maybe try reapplying the policy maps. > > > Thanks and regards > > Yogesh Gawankar > > > --- On *Mon, 8/23/10, Jimmy Larsson <[email protected]>* wrote: > > > From: Jimmy Larsson <[email protected]> > Subject: [OSL | CCIE_Security] ZBFW > To: "OSL Security" <[email protected]> > Date: Monday, August 23, 2010, 10:56 PM > > Guys! > > Can anyone see what I am doing wrong here? My router R1 has 4 interfaces > and ongoing OSPF-neighborships. I add ZBFW that simply places 2 interfaces > in zone "INSIDE" and 2 in zone "OUTSIDE". Also, I mess around with the > self-zone. On all policy-maps I have added an "OSPF"-class that right now > matches any traffic since I cannot get it to work. Even then all traffic is > dropped on class-default. Why? > > Log messages: > > *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from > 192.168.12.2:0 => 224.0.0.5:0 (target:class)-(INSIDE->SELF:class-default) > *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from > 192.168.14.4:0 => 224.0.0.5:0 (target:class)-(OUTSIDE->SELF:class-default) > *Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from > 192.168.169.10:0 => 224.0.0.5:0(target:class)-(SELF->OUTSIDE:class-default) > *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from > 192.168.12.2:0 => 192.168.12.1:0(target:class)-(INSIDE->SELF:class-default) > *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from > 192.168.13.3:0 => 192.168.13.1:0(target:class)-(INSIDE->SELF:class-default) > *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from > 192.168.13.3:0 => 224.0.0.5:0 (target:class)-(INSIDE->SELF:class-default) > *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from > 192.168.14.1:0 => 224.0.0.5:0 (target:class)-(SELF->OUTSIDE:class-default) > *Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from > 192.168.169.1:0 => 224.0.0.5:0(target:class)-(OUTSIDE->SELF:class-default) > > > One of the policy-maps: > > R1#sh policy-map type insp zone-pair INSIDE->SELF > > policy exists on zp INSIDE->SELF > Zone-pair: INSIDE->SELF > > Service-policy inspect : INSIDE->SELF > > Class-map: OSPF (match-all) > Match: access-group name OSPF > Pass > 0 packets, 0 bytes > > Class-map: class-default (match-any) > Match: any > Drop > 368 packets, 21968 bytes > R1# > > My OSPF access-list: > > R1#sh access-l OSPF > Extended IP access list OSPF > 20 permit ip any any (107 matches) > R1# > > And the full config: > > Building configuration... > > Current configuration : 5451 bytes > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname R1 > ! > boot-start-marker > boot-end-marker > ! > logging count > logging message-counter syslog > logging buffered 4096 > no logging rate-limit > ! > no aaa new-model > ! > crypto pki trustpoint TP-self-signed-2178368166 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-2178368166 > revocation-check none > rsakeypair TP-self-signed-2178368166 > ! > ! > crypto pki certificate chain TP-self-signed-2178368166 > certificate self-signed 01 > 3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 > 69666963 6174652D 32313738 33363831 3636301E 170D3130 30383233 31323238 > 30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 > 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31373833 > 36383136 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 > 8100CFFF 23FB8BBB 4357436C D507EA26 8E823113 1DA9C415 A07CD699 83C72152 > 4E07AB9C CE06EB9C 017DF40C D47AF894 97F9EAF3 DE0D3331 C5A432B8 95524CB7 > C6517E90 E4D704B3 0DD3535E EEAC60B3 2680C4CF 187A066B 0982B01E 3C6EC186 > D6221EB7 21A94B63 FAC4324F A06EF53F 4C8EFA73 13366BA7 22A2A952 4C6FFE12 > 20810203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603 > 551D1104 06300482 02523130 1F060355 1D230418 30168014 D87EBD8F FDDDC2D2 > A814D2A6 66A948EE DBDCA738 301D0603 551D0E04 160414D8 7EBD8FFD DDC2D2A8 > 14D2A666 A948EEDB DCA73830 0D06092A 864886F7 0D010104 05000381 81007D8B > 601E0E43 E0729D45 F44E0B7D 98283595 126EE6A8 C2A7EAF4 962510DA C90120F2 > 82EE7A3F DB267CBA FEBAB878 D87B66B3 B91F37E7 CBAF041B 5E79FF6C 216D2759 > A279A03C 471F2130 5B23C00C BFF62BA6 D8C7D034 BE0C34F6 F773F1BA C8E0389E > 18C4D8D7 0D35C714 90CE8BD9 2B527335 5BC66E78 99F46DE0 F84FBA2B 06FA > quit > dot11 syslog > ip source-route > ! > ! > ! > ! > ip cef > no ip domain lookup > ip inspect log drop-pkt > no ipv6 cef > ! > multilink bundle-name authenticated > ! > ! > ! > vtp domain KVISTOFTA > vtp mode transparent > ! > ! > ! > archive > log config > hidekeys > ! > ! > vlan 4,12,14 > ! > ! > class-map type inspect match-all OSPF > match access-group name OSPF > ! > ! > policy-map type inspect INSIDE->SELF > class type inspect OSPF > pass > class class-default > drop log > policy-map type inspect SELF->INSIDE > class type inspect OSPF > pass > class class-default > drop log > policy-map type inspect OUTSIDE->INSIDE > class type inspect OSPF > pass > class class-default > drop log > policy-map type inspect INSIDE->OUTSIDE > class type inspect OSPF > pass > class class-default > drop log > policy-map type inspect OUTSIDE->SELF > class type inspect OSPF > pass > class class-default > drop log > policy-map type inspect SELF->OUTSIDE > class type inspect OSPF > pass > class class-default > drop log > ! > zone security INSIDE > zone security OUTSIDE > zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE > service-policy type inspect OUTSIDE->INSIDE > zone-pair security INSIDE->OUTSIDE source INSIDE destination OUTSIDE > service-policy type inspect INSIDE->OUTSIDE > zone-pair security OUTSIDE->SELF source OUTSIDE destination self > service-policy type inspect OUTSIDE->SELF > zone-pair security SELF->OUTSIDE source self destination OUTSIDE > service-policy type inspect SELF->OUTSIDE > zone-pair security INSIDE->SELF source INSIDE destination self > service-policy type inspect INSIDE->SELF > zone-pair security SELF->INSIDE source self destination INSIDE > service-policy type inspect SELF->INSIDE > ! > ! > ! > interface Loopback0 > ip address 1.1.1.1 255.255.255.255 > ! > interface Loopback10 > ip address 10.0.0.1 255.255.255.255 > ! > interface FastEthernet0 > no ip address > duplex auto > speed auto > ! > interface FastEthernet0.12 > encapsulation dot1Q 12 > ip address 192.168.12.1 255.255.255.0 > zone-member security INSIDE > ! > interface FastEthernet0.13 > encapsulation dot1Q 13 > ip address 192.168.13.1 255.255.255.0 > zone-member security INSIDE > ! > interface FastEthernet0.14 > encapsulation dot1Q 14 > ip address 192.168.14.1 255.255.255.0 > zone-member security OUTSIDE > ! > interface FastEthernet0.169 > encapsulation dot1Q 169 > ip address 192.168.169.10 255.255.255.0 > zone-member security OUTSIDE > ! > interface FastEthernet1 > no ip address > no ip unreachables > shutdown > duplex auto > speed auto > ! > interface FastEthernet2 > switchport mode trunk > ! > interface FastEthernet3 > ! > interface FastEthernet4 > ! > interface FastEthernet5 > ! > interface FastEthernet6 > ! > interface FastEthernet7 > ! > interface FastEthernet8 > ! > interface FastEthernet9 > ! > interface Vlan1 > no ip address > ! > interface Async1 > no ip address > encapsulation slip > ! > router ospf 1 > log-adjacency-changes > network 192.168.0.0 0.0.255.255 area 0 > ! > ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 192.168.1.1 > no ip http server > ip http secure-server > ! > ! > ! > ip access-list extended OSPF > permit ip any any > ! > ip access-list logging interval 1 > logging dmvpn > ! > ! > ! > ! > ! > ! > control-plane > ! > alias exec srs show run | sect > alias exec siib show ip int brie | excl unass > ! > line con 0 > logging synchronous > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > login > ! > ! > ! > end > > What is going on? Why is all traffic hitting class-default even when I have > a class that matches all traffic above class-default? > > /Jimmy > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > -----Inline Attachment Follows----- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
