OSPF dies when apply ACL

Unanswered Question
Jul 31st, 2007

I'm using the following ACL on my distribution router which connects to core and as soon as as i apply inboud or outboud the ospf dies, i see the log dead time expired. Do I need to allow anything in the ACL for OSPF to work? Please advice

ip access-list extended my-filter-inbound

permit ip

permit ip

permit ip

permit ip

permit ip

interface vlan 320

ip access-group my-filter-inbound in

ip access-group my-filter-inbound out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Edison Ortiz Tue, 07/31/2007 - 11:50

OSPF is its own protocol, so you need something like:

permit ospf [source] [destination]

lamav Tue, 07/31/2007 - 11:58

I imagine that you are using a point-to-point OSPF network type, since you are talking about the links between your core and distribution layer switches in the data Center. Recall that with OSPF point-to-point networks, LSAs are multicast to on, the AllSPFRouters address.

try allowing such traffic as part of the access list and get back to us with the results.



royalblues Tue, 07/31/2007 - 12:07

I agree with Edison and Sundar and it would be better to allow all ospf packets

Have a look at this link. though it talks about vulnerabilities in ospf it would give an idea of how to configure an access-list that would permit ospf packets and maintain adjacency




please rate all useful posts

lamav Tue, 07/31/2007 - 12:20


I was giving the questioner a conceptual solution and approach, not the actual config lines. The point I was making was that OSPF traffic should be permitted and why it is that his access list fails ot permit it.

nawas Tue, 07/31/2007 - 12:29

Thanks everyone for their valuable input. I tired both solution, ie permit ospf any any and permit ospf multicast packet and both have worked flawlessly. At this time I'm going to use permit ospf any any (for simplicity).


This Discussion