RE: Access-list for EIGRP traffic...

From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Aug 06 2003 - 12:33:47 GMT-3

• Next message: Kenneth Wygand: "RE: Dialer Watch with Dialer Maps. Why does it only work with"
• Previous message: John Matijevic: "Re: Access-list for EIGRP traffic..."
• Maybe in reply to: Kenneth Wygand: "Access-list for EIGRP traffic..."
• Next in thread: Alvarez, Rolando [NCSUS]: "RE: Access-list for EIGRP traffic..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

Yes, I am referring to a specific scenario, but not a specific practice
lab. I am referring to a requirement similar to the following:

R1 (serial) <--> (serial) R2 (ethernet)

"Place R2's ethernet network in the EIGRP routing process running
between R1 and R2. Have EIGRP updates reach neighbor x.x.x.x on R2's
switched ethernet segment, but keep EIGRP multicasts from exiting R2's
Ethernet interface in an attempt to prevent updates from flowing to
mischievous users on R2's switched ethernet segment sitting on the LAN
with a packet sniffer."

In this case, it seems to me that "passive-interface" simply blocks the
multicast updates and does nothing more. Is there any additional
functionality of configuring "passive-interface" that I am not aware of?

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
Custom Computer Specialists, Inc.
"It's not just about ending up where you want to be, it's about making
the most of the trip there."
-Anonymous

-----Original Message-----
From: John Matijevic [mailto:matijevi@bellsouth.net]
Sent: Wednesday, August 06, 2003 11:25 AM
To: Kenneth Wygand; ccielab@groupstudy.com
Subject: Re: Access-list for EIGRP traffic...

Hello Kenneth,
The access-list you mentioned will block all eigrp traffic.
As far as using the passive-interface command, you really dont need to
use
it since EIGRP is a classless protocol, you can define the network you
want
to, using the appropriate wild card bits. Is there a specific scenrio
that
requires you to use passive-interface under EIGRP?
Sincerley,
Matijevic
----- Original Message -----
From: "Kenneth Wygand" <KWygand@customonline.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, August 06, 2003 11:12 AM
Subject: Access-list for EIGRP traffic...

> When denying EIGRP traffic as interesting on an ISDN line, if you
simply
> put:
>
>
>
> Access-list 100 deny eigrp any any
>
>
>
> Does this block eigrp at the protocol field level, as opposed to a
> packet destination IP address of 224.0.0.10?
>
>
>
> If so, then this access list should also block unicast updates as per
> neighbor statements in the EIGRP process configuration as well.
>
>
>
> Furthermore, declaring an interface passive appears to only block
> multi/broadcast network advertisements from leaving that interface,
but
> specific neighbors can still be specified with neighbor statements and
> protocol updates will then flow via unicast instead, independent of
the
> "passive-interface" command.
>
>
>
> Can anyone confirm these thoughts?
>
>
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
>
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> Custom Computer Specialists, Inc.
>
> "It's not just about ending up where you want to be, it's about making
> the most of the trip there."
> -Anonymous
>
>
>

• Next message: Kenneth Wygand: "RE: Dialer Watch with Dialer Maps. Why does it only work with"
• Previous message: John Matijevic: "Re: Access-list for EIGRP traffic..."
• Maybe in reply to: Kenneth Wygand: "Access-list for EIGRP traffic..."
• Next in thread: Alvarez, Rolando [NCSUS]: "RE: Access-list for EIGRP traffic..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:54 GMT-3