Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1994
Views
5
Helpful
7
Replies

OSPF dies when apply ACL

nawas
Level 4
Level 4

‎07-31-2007 11:45 AM - last edited on ‎03-25-2019 03:55 PM by Community Manager

I'm using the following ACL on my distribution router which connects to core and as soon as as i apply inboud or outboud the ospf dies, i see the log dead time expired. Do I need to allow anything in the ACL for OSPF to work? Please advice

ip access-list extended my-filter-inbound

permit ip 10.8.0.0 0.0.255.255 10.13.0.0 0.0.255.255

permit ip 10.1.31.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.1.32.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.5.30.0 0.0.0.255 10.13.0.0 0.0.255.255

permit ip 10.7.149.0 0.0.0.255 10.13.0.0 0.0.255.255

interface vlan 320

ip access-group my-filter-inbound in

ip access-group my-filter-inbound out

Labels:
0 Helpful
7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

‎07-31-2007 11:50 AM

OSPF is its own protocol, so you need something like:

permit ospf [source] [destination]

sundar.palaniappan
Level 10
Level 10

‎07-31-2007 11:55 AM

Add 'permit ospf any any' to the existing ACL to allow OSPF packets.

HTH

Sundar

0 Helpful

lamav
Level 8
Level 8

‎07-31-2007 11:58 AM

I imagine that you are using a point-to-point OSPF network type, since you are talking about the links between your core and distribution layer switches in the data Center. Recall that with OSPF point-to-point networks, LSAs are multicast to on 224.0.0.5, the AllSPFRouters address.

try allowing such traffic as part of the access list and get back to us with the results.

HTH

Thanks

0 Helpful

royalblues
Level 10
Level 10
In response to lamav

‎07-31-2007 12:07 PM

I agree with Edison and Sundar and it would be better to allow all ospf packets

Have a look at this link. though it talks about vulnerabilities in ospf it would give an idea of how to configure an access-list that would permit ospf packets and maintain adjacency

http://www.cisco.com/en/US/products/products_security_response09186a008014ac50.html

HTH

Narayan

please rate all useful posts

0 Helpful

lamav
Level 8
Level 8
In response to royalblues

‎07-31-2007 12:20 PM

Royal:

I was giving the questioner a conceptual solution and approach, not the actual config lines. The point I was making was that OSPF traffic should be permitted and why it is that his access list fails ot permit it.

0 Helpful

nawas
Level 4
Level 4
In response to lamav

‎07-31-2007 12:29 PM

Thanks everyone for their valuable input. I tired both solution, ie permit ospf any any and permit ospf multicast packet and both have worked flawlessly. At this time I'm going to use permit ospf any any (for simplicity).

0 Helpful

lamav
Level 8
Level 8
In response to nawas

‎07-31-2007 12:33 PM

Glad ot hear it, Nawas!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card