Solved: You can try to use an acl

jkeeffe · ‎09-28-2015

This is on a Nexus 7700 version 6.2(10)

For security reasons we have some L3 OSPF SVIs configured as passive interfaces. However, I have a network tool (it maps and analyzes the OSPF routing world) that must form an OSPF neighbor adjacency with another local OSFP router so it can participate in the OSPF world to do its mapping and analysis. This tool is in the same vlan as the L3 SVI.

So I need to make that particular SVI OSPF active (send out OSPF Hello pkts) instead of passive. Is there a way to use an ACL, route-map, policy-map, etc. to allow for only one IP address to form an OSPF adjacency with that SVI? In other words, send out the Hello pkts but only form an adjacency with the IP address specified in some sort of ACL? Or is it all or nothing?

Here is the SVI config today:

interface Vlan1147
description nmm-3
no shutdown
mtu 9000
vrf member nmm
no ip redirects
ip address 10.88.80.2/24
ip ospf passive-interface
ip router ospf 1 area 0.0.0.0
hsrp version 2
hsrp 1147
    preempt
    priority 110
    ip 10.88.80.1

Say for example I want this interface to form an OSPF adjacency with only the network tool, which is 10.88.80.100, and no other devices that may respond to the Hello pkts?

John Blakley · ‎09-29-2015

After playing around with this, I think you can use an acl after all. Try adding one on the svi that you want to block. Assuming your mapping device/server is addressed at 10.10.10.50:

access-list 100 permit ospf host 10.10.10.50 host 224.0.0.5

access-list 100 permit ospf host 10.10.10.50 host 224.0.0.6

access-list 100 deny ospf any any

access-list 100 permit ip any any

int vlan1147

ip access-group 100 in

This is on IOS, and I don't have access to a Nexus. I'm still seeing hellos coming out of the interface, but I'm not able to get an adjacency. My adjacencies to the other host have been up for over 2 minutes now, but earlier I wasn't able to keep one past the 30 second dead time....

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Reza Sharifi · ‎09-28-2015

Once you make the interface as not passive, it will form adjacency with other devices in the same subnet. If you want the adjacency to form only between 2 devices, than put that device in a small subnet/vlan (/30).

HTH

John Blakley · ‎09-28-2015

You can try to use an acl inbound on the svi to see if you can block the traffic. If not, you may need to do what Reza stated:

access-list 100 permit ospf host <your SVI ip - 10.88.80.2/24> host <where you want the traffic to come from>

access-list 100 deny ospf any any

access-list 100 permit ip any any

int vlan1147

ip access-group 100 in

*Edit*

I tested this, and it looked okay for a while, but the neighborships started to bounce....I would recommend what Reza stated...

HTH,

John

HTH, John *** Please rate all useful posts ***

John Blakley · ‎09-29-2015

After playing around with this, I think you can use an acl after all. Try adding one on the svi that you want to block. Assuming your mapping device/server is addressed at 10.10.10.50:

access-list 100 permit ospf host 10.10.10.50 host 224.0.0.5

access-list 100 permit ospf host 10.10.10.50 host 224.0.0.6

access-list 100 deny ospf any any

access-list 100 permit ip any any

int vlan1147

ip access-group 100 in

This is on IOS, and I don't have access to a Nexus. I'm still seeing hellos coming out of the interface, but I'm not able to get an adjacency. My adjacencies to the other host have been up for over 2 minutes now, but earlier I wasn't able to keep one past the 30 second dead time....

HTH,

John

HTH, John *** Please rate all useful posts ***

Can I make an SVI OSPF active, yet via an ACL allow only one device to form an adjacency?