Problem ACL and OSPF

Answered Question
Sep 2nd, 2009

Hi,

I have two catalyst 6509 with IOS version 12.2(33)SXH5 and uses how routing protocol OSPF, but isn't operating.

I have the follwing ACLs:

ip access-list extended acl_vlan100

permit ip any 172.25.32.0 0.0.3.255

permit ip any 172.25.52.0 0.0.3.255

permit ip any 172.25.49.0 0.0.0.255

permit ip any 168.124.168.0 0.0.1.255

permit ip any 168.124.174.0 0.0.0.255

permit ip any 168.124.175.0 0.0.0.255

permit ip any 168.124.173.0 0.0.0.63

permit ip any 168.124.173.64 0.0.0.63

permit ip any 7.26.128.0 0.0.0.127

permit ip any 7.48.19.0 0.0.0.127

permit ip any 7.48.19.128 0.0.0.127

permit ip any 7.30.16.0 0.0.15.255

permit ip any 7.24.38.0 0.0.0.63

permit ip host 157.206.4.10 any

permit ip host 157.206.4.2 host 224.0.0.2

permit ip host 157.206.4.3 host 224.0.0.2

permit ip host 157.206.4.4 host 224.0.0.2

permit ip host 157.206.4.6 host 224.0.0.2

permit ip host 157.206.4.2 host 224.0.0.5

permit ip host 157.206.4.3 host 224.0.0.5

permit ip host 157.206.4.4 host 224.0.0.5

permit ip host 157.206.4.6 host 224.0.0.5

permit ip host 157.206.4.2 host 224.0.0.6

permit ip host 157.206.4.3 host 224.0.0.6

permit ip host 157.206.4.4 host 224.0.0.6

permit ip host 157.206.4.6 host 224.0.0.6

permit ip host 157.206.4.7 any

permit ip host 134.81.96.62 any

permit icmp any any

deny ip any any log

And the OSPF problems in the next lines:

157.206.4.3

-----------------

.Sep 2 08:52:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.4 -> 157.206.4.3, 83 packets

.Sep 2 08:52:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.6 -> 157.206.4.3, 71 packets

.Sep 2 08:54:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.2 -> 157.206.4.3, 47 packets

Sep 2 08:57:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.4 -> 157.206.4.3, 30 packets

Sep 2 08:57:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.6 -> 157.206.4.3, 40 packets

Sep 2 08:59:26: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.2 -> 157.206.4.3, 4 packets

157.206.4.2

------------------

*Sep 2 07:19:50: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.4 -> 157.206.4.2, 34 packets

*Sep 2 07:20:50: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.3 -> 157.206.4.2, 47 packets

*Sep 2 07:21:50: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.6 -> 157.206.4.2, 46 packets

*Sep 2 07:24:50: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.4 -> 157.206.4.2, 37 packets

.Sep 2 08:56:29: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.3 -> 157.206.4.2, 36 packets

.Sep 2 08:57:30: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.6 -> 157.206.4.2, 79 packets

Sep 2 09:00:30: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.4 -> 157.206.4.2, 5 packets

Sep 2 09:01:30: %SEC-6-IPACCESSLOGRP: list acl_vlan100 denied ospf 157.206.4.3 -> 157.206.4.2, 3 packets

The interface VLAN is configured:

interface Vlan100

ip address 157.206.4.3 255.255.255.0

ip access-group acl_vlan100 in

no ip unreachables

standby 100 ip 157.206.4.1

standby 100 priority 150

standby 100 preempt

end

¿Why have I this problems?

I have this problem too.
0 votes
Correct Answer by srue about 7 years 4 months ago

you need to specifically allow OSPF.

permit ospf any any

or

permit ospf host x.x.x.x host x.x.x.x

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
srue Wed, 09/02/2009 - 08:29

you need to specifically allow OSPF.

permit ospf any any

or

permit ospf host x.x.x.x host x.x.x.x

Actions

This Discussion