[c-nsp] Weird rACL entry - interface to interface OSPF packets

christopher.a.kane at jpmchase.com christopher.a.kane at jpmchase.com
Thu Nov 9 12:06:17 EST 2006 

>Hello All:
>
>We've been running rACL's for about 3 weeks with no issues.  This
>morning, we started seeing blocks of OSPF messages going directly from
>one directly connected SRP interface to another.  Our original rACL
>entries permitted OSPF traffic to and from 224.0.0.5 and .6 and that has
>been in place since the beginning.
>
>Can anyone shed light on why there would be interface to interface OSPF
>communication not going to the well-known multicast addresses?  Is this
>to be expected or do I have configuration issues?  I've included log and
>config snippets below.
>
>Regards,
>
>Mike


For reliability, I believe OSPF will move to unicast messages if an LSA 
has not been acknowledged. Rather than permitting only the multicast 
addresses maybe use an any any with ospf listed as the ip protocol.

-chris



>Log entry:
>
>Nov  9 07:17:29 <router loopback ip> 232152: SLOT 5:081758: Nov  9
>07:17:29.915 PST: %SEC-6-IPACCESSLOGRP: list 2000 denied ospf <incoming
>srp ip> -> <local srp ip>, 23 packets
>
>interface SRP5/0
> description A-side to sea-bdr1, B-side from sea-cor1
> ip address <local srp ip>
> no ip directed-broadcast
> ip ospf network broadcast
> ip ospf priority 2
> srp clock-source line b

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

More information about the cisco-nsp mailing list