nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Selective denial of OSPF adjacencies?

Monkerz

So I have been thinking about something recently and was wondering if there was another way to accomplish what I am looking for. Rather than boring you with details you may not need I will cut to the chase.

Situation:
Two MLS are connected via a 20G L2 port-channel. Two vlans (1&2) are allowed over the trunk. Both vlans are routed. OSPF is advertising and sending hellos for both vlans. OSPF adjacency is needed over the trunk for vlan 1 and not wanted for vlan 2, but OSPF must stay enabled for both SVIs. (could elaborate as to why OSPF must stay enabled on both vlans, but didn’t think it was pertinent)

Now, I have labbed this up using an ACL, on both sides of the trunk, to block traffic coming in from vlan2 network destined for 224.0.0.5 & 6. This worked when I was using only one 10G link and it was not part of a port-channel. An OSPF adjacency formed for vlan 1, but not for vlan 2. However, when I added a link and bundled these interfaces, then applied the ACL in on the port-channel interfaces, OSPF adjacencies still formed for both vlans.

Does anyone know of another way to deny OSPF adjacency over an L2 port-channel for one vlan, but not the other?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

networker050184

Why can't you just make VLAN 2 passive?

The ACL doesn't affect router generated traffic like OSPF protocol packets.

Monkerz

I cannot make vlan 2 passive as I am handed a backup flexlink connection from the provider (cheaper than another active link). The currently active link is connected to one edge device and the other standby link is connected to the second. vlan 2 is being used as the MetroE MAN, and if I make vlan 2 passive, the second edge device will not form adjacencies when a fail-over occurs.

Basically, remote sites are seeing equal cost paths to networks sitting behind these devices currently. I would like to stop this by not allowing any adjacency for the vlan over this trunk.

And an ACL inward will affect the neighbor's generated traffic, which is how I had this working prior to the port-channel. Just looks like port-channeling threw a wrench in...

NetworkVeteran

f I make vlan 2 passive, the second edge device will not form adjacencies when a fail-over occurs.

If I understand correctly, on VLAN 2, you want some adjacencies to form and others not to form. Can you simply go NBMA and specify which neighbor pairs should form adajacencies? Making OSPF unicast also simplifies ACLs, if needed.

networker050184

You can try changing to non broadcast and staticly defining neighbors.

Ah, Veteran beat me to it.

Monkerz

Yeah I thought about static neighbors, but that wouldn't work too well for a dynamic failover. In fact, making the vlan passive on the node with flex standby would achieve the same thing with less admin overhead.

I threw together a drawing to help give you an idea as to what I am talking about. Hopefully you can see it.

So, from one of the 6Ks at Site1, in the current setup with OSPF running balls to the wall on the MAN vlan, I can see equal cost routes to all networks sitting behind Site3's 6Ks (the networks that are dual homed anyway). I don't want to see this because Circuit5 is in standby mode on the provider's side until the line protocol on Circuit4 goes down. So there is currently an extra bridge hop to achieve ECMP.

So currently Site1's 6509-A is seeing an adjacency over the active link at Site3 for 6509-A, and 6509-B via the port-channel. If I can filter the adjacency over the port-channel, then Site1 wouldn't load-balance and if the active link at Site3 went down, 6509-B would form adjacency dynamically.

Oh, and I've already thought of routed ports facing the MAN from Site3, but this would cause problems with traffic bound for the MAN network from the node that currently has the standby link from the provider.

MAN.jpg

networker050184

So why not just put a high metirc on the backup circuits? Maybe I'm missing something.

Monkerz

Because the backup circuit is not actually passing traffic until the active fails. Site3's 6509-B adjaceny with Site1 is happening over the port channel. Bumping up cost on Site3's 6509-B would only affect traffic egressing Site3. Site1 is seeing Site3's 6509s as both as a cost of 8G or '5' with a reference BW of 40G.

Monkerz

Will that extra bridge hop even affect latency sensitive traffic like an extra routed hop? I'm trying to mitigate the potential for out of sequence packets.

networker050184

I wouldn't worry about it.