07-31-2007 11:45 AM - last edited on 03-25-2019 03:55 PM by ciscomoderator
I'm using the following ACL on my distribution router which connects to core and as soon as as i apply inboud or outboud the ospf dies, i see the log dead time expired. Do I need to allow anything in the ACL for OSPF to work? Please advice
ip access-list extended my-filter-inbound
permit ip 10.8.0.0 0.0.255.255 10.13.0.0 0.0.255.255
permit ip 10.1.31.0 0.0.0.255 10.13.0.0 0.0.255.255
permit ip 10.1.32.0 0.0.0.255 10.13.0.0 0.0.255.255
permit ip 10.5.30.0 0.0.0.255 10.13.0.0 0.0.255.255
permit ip 10.7.149.0 0.0.0.255 10.13.0.0 0.0.255.255
interface vlan 320
ip access-group my-filter-inbound in
ip access-group my-filter-inbound out
07-31-2007 11:50 AM
OSPF is its own protocol, so you need something like:
permit ospf [source] [destination]
07-31-2007 11:55 AM
Add 'permit ospf any any' to the existing ACL to allow OSPF packets.
HTH
Sundar
07-31-2007 11:58 AM
I imagine that you are using a point-to-point OSPF network type, since you are talking about the links between your core and distribution layer switches in the data Center. Recall that with OSPF point-to-point networks, LSAs are multicast to on 224.0.0.5, the AllSPFRouters address.
try allowing such traffic as part of the access list and get back to us with the results.
HTH
Thanks
07-31-2007 12:07 PM
I agree with Edison and Sundar and it would be better to allow all ospf packets
Have a look at this link. though it talks about vulnerabilities in ospf it would give an idea of how to configure an access-list that would permit ospf packets and maintain adjacency
http://www.cisco.com/en/US/products/products_security_response09186a008014ac50.html
HTH
Narayan
please rate all useful posts
07-31-2007 12:20 PM
Royal:
I was giving the questioner a conceptual solution and approach, not the actual config lines. The point I was making was that OSPF traffic should be permitted and why it is that his access list fails ot permit it.
07-31-2007 12:29 PM
Thanks everyone for their valuable input. I tired both solution, ie permit ospf any any and permit ospf multicast packet and both have worked flawlessly. At this time I'm going to use permit ospf any any (for simplicity).
07-31-2007 12:33 PM
Glad ot hear it, Nawas!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: