09-28-2015 02:39 PM - edited 03-08-2019 01:58 AM
This is on a Nexus 7700 version 6.2(10)
For security reasons we have some L3 OSPF SVIs configured as passive interfaces. However, I have a network tool (it maps and analyzes the OSPF routing world) that must form an OSPF neighbor adjacency with another local OSFP router so it can participate in the OSPF world to do its mapping and analysis. This tool is in the same vlan as the L3 SVI.
So I need to make that particular SVI OSPF active (send out OSPF Hello pkts) instead of passive. Is there a way to use an ACL, route-map, policy-map, etc. to allow for only one IP address to form an OSPF adjacency with that SVI? In other words, send out the Hello pkts but only form an adjacency with the IP address specified in some sort of ACL? Or is it all or nothing?
Here is the SVI config today:
interface Vlan1147
description nmm-3
no shutdown
mtu 9000
vrf member nmm
no ip redirects
ip address 10.88.80.2/24
ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
hsrp version 2
hsrp 1147
preempt
priority 110
ip 10.88.80.1
Say for example I want this interface to form an OSPF adjacency with only the network tool, which is 10.88.80.100, and no other devices that may respond to the Hello pkts?
Solved! Go to Solution.
09-29-2015 04:50 AM
After playing around with this, I think you can use an acl after all. Try adding one on the svi that you want to block. Assuming your mapping device/server is addressed at 10.10.10.50:
access-list 100 permit ospf host 10.10.10.50 host 224.0.0.5
access-list 100 permit ospf host 10.10.10.50 host 224.0.0.6
access-list 100 deny ospf any any
access-list 100 permit ip any any
int vlan1147
ip access-group 100 in
This is on IOS, and I don't have access to a Nexus. I'm still seeing hellos coming out of the interface, but I'm not able to get an adjacency. My adjacencies to the other host have been up for over 2 minutes now, but earlier I wasn't able to keep one past the 30 second dead time....
HTH,
John
09-28-2015 02:49 PM
Once you make the interface as not passive, it will form adjacency with other devices in the same subnet. If you want the adjacency to form only between 2 devices, than put that device in a small subnet/vlan (/30).
HTH
09-28-2015 03:02 PM
You can try to use an acl inbound on the svi to see if you can block the traffic. If not, you may need to do what Reza stated:
access-list 100 permit ospf host <your SVI ip - 10.88.80.2/24> host <where you want the traffic to come from>
access-list 100 deny ospf any any
access-list 100 permit ip any any
int vlan1147
ip access-group 100 in
*Edit*
I tested this, and it looked okay for a while, but the neighborships started to bounce....I would recommend what Reza stated...
HTH,
John
09-29-2015 04:50 AM
After playing around with this, I think you can use an acl after all. Try adding one on the svi that you want to block. Assuming your mapping device/server is addressed at 10.10.10.50:
access-list 100 permit ospf host 10.10.10.50 host 224.0.0.5
access-list 100 permit ospf host 10.10.10.50 host 224.0.0.6
access-list 100 deny ospf any any
access-list 100 permit ip any any
int vlan1147
ip access-group 100 in
This is on IOS, and I don't have access to a Nexus. I'm still seeing hellos coming out of the interface, but I'm not able to get an adjacency. My adjacencies to the other host have been up for over 2 minutes now, but earlier I wasn't able to keep one past the 30 second dead time....
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide