VACL breaks OSPF relationship?

mcroberts · ‎10-08-2008

I think I am having a problem when I apply a VACL to the 6500. When I apply this VACL, it seems to break my ospf session with my next hop device (which we do not control) and my on-board fwsm (running 3.2.4). The reason I "think" I am having this issue is because when I applied the VACL filter on the 6500, I lost my OSPF relationships in area 2 only 3+ minutes after the VACL was applied (perhaps the OSPF timer). Area 0 stayed up though. Once the group that controls the next hop router inserted a static to our network, traffic was able to flow again (not via OSPF obviously). I will show the config of the VACL on the 6500 and the OSPF config on the fwsm. Has anyone seen any issues similar to this or have any idea why the VACL would break the OSPF relationship?

One note that I dont think matters, but I will mention anyway...the vlans in my VACL filter do include vlans that reside on my fwsm.

FWSM:

router ospf 10

network xx.xx.76.0 255.255.254.0 area 2

network 192.168.1.0 255.255.255.0 area 0

router-id xx.xx.76.2

log-adj-changes

summary-address xx.xx.76.0 255.255.254.0

6500 VACL config:

vlan access-map IPS 10

match ip address 172

action forward capture

vlan access-map IPS 20

match ip address 175

action forward

access-list 172 permit ip any any

access-list 175 permit ip any any

vlan filter IPS vlan-list 5-16,20,24,etc....

owillins · ‎10-14-2008

You need statically configure the adjacency to use unicast packets.

Example

FWSM(config)#router ospf 1

FWSM(config-router)#neighbor 192.168.1.1

You would also want to configure the other router too.

When enabling a vlan access-map with action to capture OSPF stops working on the FWSM blade. By enabling the access-map it used up the last span session and prevented multicast from getting to the FWSM and thusly OSPF broke.