Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
0
Helpful
10
Replies

ACL and OSPF Packets

RMS3
Level 1
Level 1

‎11-30-2023 04:54 AM

Hi All,

I am currently preparing extended ACLs for my network. I have L3 switches running OSPF and HSRP.

I want to apply an inbound ACL on an interface but I see the OSPF neighbor goes down. 

I used Wireshark to go through network traffic and observed that OSPF uses 224.0.0.5 multicast address,I have specifically allowed that as a host in my ACL but OSPF still fails.

Can anyone help me solve this?

Labels:
0 Helpful
10 Replies 10

M02@rt37
VIP
VIP

‎11-30-2023 05:18 AM

Hello @RMS3 

Please share here you ACL.

Thanks a lot.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-30-2023 05:19 AM

how is your ACL Look like ?

check this blog what need to allowed :

https://aconaway.com/2008/06/12/acls-and-hsrp-bgp-ospf-vrrp-glbp/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

RMS3
Level 1
Level 1
In response to balaji.bandi

‎11-30-2023 05:25 AM

Here is the ACL,please note that I am reconstructing it as I cannot permit "any" as per requirements.

ip access-list extended ALLOW
10 permit ip 10.169.5.0 0.0.0.127 10.169.13.192 0.0.0.31
!HSRP Traffic!
40 permit ip 10.169.5.0 0.0.0.127 host 224.0.0.2
!OSPF Traffic!
50 permit ip 10.169.5.0 0.0.0.127 host 224.0.0.5
60 deny ip any any
exi

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to RMS3

‎11-30-2023 05:35 AM

Where is this ACL applied, how about other side direction ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

RMS3
Level 1
Level 1
In response to balaji.bandi

‎11-30-2023 05:46 AM

Currently this is the configuration

int vlan 410

ip access-group ALLOW in

exit

The error I get is:

*Nov 30 14:06:22.417 UTC: %OSPF-5-ADJCHG: Process 5, Nbr 10.169.13.227 on Vlan410 from EXSTART to DOWN, Neighbor Down: Too many retransmissions

I looked into the packet using Wireshark,looks like it happens due to LSA Type 4 packet drop

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to RMS3

‎11-30-2023 06:22 AM

can you post complete bot the side interface config with IP address ?

you mentioned before ACL all works - is this correct ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP
In response to RMS3

‎11-30-2023 05:50 AM

How two route have different wildcard'

Try use host in acl if it work then issue with wildcard 

0 Helpful

RMS3
Level 1
Level 1
In response to MHM Cisco World

‎11-30-2023 05:53 AM

I didnt get you,the first rule is to permit 5.0 to reach 13.0.

0 Helpful

MHM Cisco World
VIP
VIP
In response to RMS3

‎11-30-2023 06:06 AM

Friend 

Ospf or hsrp is peer to peer connection 

And both peet must share same subnet' here is see two different wildcard i.e.it different subnet so I dont think this work.

Can you share config of both peer interfaces that use for ospf and hsrp?

MHM

0 Helpful

Georg Pauwen
VIP
VIP

‎12-02-2023 01:20 AM

Hello,

I have not followed the entire thread, so I am not sure somebody has already mentioned that it might be better to use 'permit ospf' statements:

permit ospf 10.169.5.0 0.0.0.127 10.169.13.192 0.0.0.31

?

0 Helpful
Customers Also Viewed These Support Documents