OSPF dies when apply ACL

Unanswered Question
Jul 31st, 2007
User Badges:

I'm using the following ACL on my distribution router which connects to core and as soon as as i apply inboud or outboud the ospf dies, i see the log dead time expired. Do I need to allow anything in the ACL for OSPF to work? Please advice

ip access-list extended my-filter-inbound

permit ip 10.8.0.0 0.0.255.255 10.13.0.0 0.0.255.255

permit ip 10.1.31.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.1.32.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.5.30.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.7.149.0 0.0.0.255 10.13.0.0 0.0.255.255


interface vlan 320

ip access-group my-filter-inbound in

ip access-group my-filter-inbound out

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Tue, 07/31/2007 - 11:50
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

OSPF is its own protocol, so you need something like:


permit ospf [source] [destination]


sundar.palaniappan Tue, 07/31/2007 - 11:55
User Badges:
  • Green, 3000 points or more

Add 'permit ospf any any' to the existing ACL to allow OSPF packets.


HTH


Sundar

lamav Tue, 07/31/2007 - 11:58
User Badges:
  • Blue, 1500 points or more

I imagine that you are using a point-to-point OSPF network type, since you are talking about the links between your core and distribution layer switches in the data Center. Recall that with OSPF point-to-point networks, LSAs are multicast to on 224.0.0.5, the AllSPFRouters address.


try allowing such traffic as part of the access list and get back to us with the results.


HTH


Thanks

royalblues Tue, 07/31/2007 - 12:07
User Badges:
  • Green, 3000 points or more

I agree with Edison and Sundar and it would be better to allow all ospf packets


Have a look at this link. though it talks about vulnerabilities in ospf it would give an idea of how to configure an access-list that would permit ospf packets and maintain adjacency

http://www.cisco.com/en/US/products/products_security_response09186a008014ac50.html


HTH

Narayan

please rate all useful posts

lamav Tue, 07/31/2007 - 12:20
User Badges:
  • Blue, 1500 points or more

Royal:


I was giving the questioner a conceptual solution and approach, not the actual config lines. The point I was making was that OSPF traffic should be permitted and why it is that his access list fails ot permit it.

nawas Tue, 07/31/2007 - 12:29
User Badges:

Thanks everyone for their valuable input. I tired both solution, ie permit ospf any any and permit ospf multicast packet and both have worked flawlessly. At this time I'm going to use permit ospf any any (for simplicity).

lamav Tue, 07/31/2007 - 12:33
User Badges:
  • Blue, 1500 points or more

Glad ot hear it, Nawas!

Actions

This Discussion