RE: Access-list for EIGRP traffic...

From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Aug 06 2003 - 15:33:35 GMT-3

John,

Yes, you are correct. You know what's funny? According to Cisco's DOC
CD (12.3), if you don't use the "neighbor" EIGRP command in combination
with the "passive-interface" command, then the updates should be unicast
to the neighbor, but also multicast to 224.0.0.10. However, I tried
this in my lab and to my surprise, as soon as I enabled the neighbor
command I could see the multicast updates stop sending out the interface
to which my designated neighbor is attached.

Any ideas, or can someone else test this in their environment? I'm
using Enterprise IOS Version 12.2(1d) on a 2503 router.

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
Custom Computer Specialists, Inc.
"It's not just about ending up where you want to be, it's about making
the most of the trip there."
-Anonymous

-----Original Message-----
From: John Hopkins [mailto:ccie1234@hotmail.com]
Sent: Wednesday, August 06, 2003 2:09 PM
To: matijevi@bellsouth.net; Kenneth Wygand; ccielab@groupstudy.com
Subject: Re: Access-list for EIGRP traffic...

I think that the technology that they'd like you to use is EIGRP Unicast

Updates.

****************************************

Configuring EIGRP Unicast Updates:

R1#
Conf ter

Interface E0
IP address 151.60.120.12 255.255.255.0

Router Eigrp 100
network 151.60.120.0 0.0.0.255
network 116.116.116.0 0.0.0.255
neighbor 151.60.120.45 e0
end

>From: "John Matijevic" <matijevi@bellsouth.net>
>Reply-To: "John Matijevic" <matijevi@bellsouth.net>
>To: "Kenneth Wygand" <KWygand@customonline.com>,
<ccielab@groupstudy.com>
>Subject: Re: Access-list for EIGRP traffic...
>Date: Wed, 6 Aug 2003 12:21:40 -0400
>
>HelloKenneth,
>You are correct,
>The passive-interface for Eigrp blocks the mulitcast updates, it
supresses
>the eigrp hello packets, and will not allow a neighborship to form. It
>suppresses outoing routing updates as well as incoming routing updates.
You
>can still form an adjacency by using a distribute-list to allow
incoming
>updates.
>Thanks for sharing the scenerio.
>Sincerely,
>Matijevic
>----- Original Message -----
>From: "Kenneth Wygand" <KWygand@customonline.com>
>To: "John Matijevic" <matijevi@bellsouth.net>; <ccielab@groupstudy.com>
>Sent: Wednesday, August 06, 2003 11:33 AM
>Subject: RE: Access-list for EIGRP traffic...
>
>
> > John,
> >
> > Yes, I am referring to a specific scenario, but not a specific
practice
> > lab. I am referring to a requirement similar to the following:
> >
> > R1 (serial) <--> (serial) R2 (ethernet)
> >
> > "Place R2's ethernet network in the EIGRP routing process running
> > between R1 and R2. Have EIGRP updates reach neighbor x.x.x.x on
R2's
> > switched ethernet segment, but keep EIGRP multicasts from exiting
R2's
> > Ethernet interface in an attempt to prevent updates from flowing to
> > mischievous users on R2's switched ethernet segment sitting on the
LAN
> > with a packet sniffer."
> >
> > In this case, it seems to me that "passive-interface" simply blocks
the
> > multicast updates and does nothing more. Is there any additional
> > functionality of configuring "passive-interface" that I am not aware
of?
> >
> > Kenneth E. Wygand
> > Systems Engineer, Project Services
> > CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> > Custom Computer Specialists, Inc.
> > "It's not just about ending up where you want to be, it's about
making
> > the most of the trip there."
> > -Anonymous
> >
> > -----Original Message-----
> > From: John Matijevic [mailto:matijevi@bellsouth.net]
> > Sent: Wednesday, August 06, 2003 11:25 AM
> > To: Kenneth Wygand; ccielab@groupstudy.com
> > Subject: Re: Access-list for EIGRP traffic...
> >
> > Hello Kenneth,
> > The access-list you mentioned will block all eigrp traffic.
> > As far as using the passive-interface command, you really dont need
to
> > use
> > it since EIGRP is a classless protocol, you can define the network
you
> > want
> > to, using the appropriate wild card bits. Is there a specific
scenrio
> > that
> > requires you to use passive-interface under EIGRP?
> > Sincerley,
> > Matijevic
> > ----- Original Message -----
> > From: "Kenneth Wygand" <KWygand@customonline.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Wednesday, August 06, 2003 11:12 AM
> > Subject: Access-list for EIGRP traffic...
> >
> >
> > > When denying EIGRP traffic as interesting on an ISDN line, if you
> > simply
> > > put:
> > >
> > >
> > >
> > > Access-list 100 deny eigrp any any
> > >
> > >
> > >
> > > Does this block eigrp at the protocol field level, as opposed to a
> > > packet destination IP address of 224.0.0.10?
> > >
> > >
> > >
> > > If so, then this access list should also block unicast updates as
per
> > > neighbor statements in the EIGRP process configuration as well.
> > >
> > >
> > >
> > > Furthermore, declaring an interface passive appears to only block
> > > multi/broadcast network advertisements from leaving that
interface,
> > but
> > > specific neighbors can still be specified with neighbor statements
and
> > > protocol updates will then flow via unicast instead, independent
of
> > the
> > > "passive-interface" command.
> > >
> > >
> > >
> > > Can anyone confirm these thoughts?
> > >
> > >
> > >
> > > Kenneth E. Wygand
> > > Systems Engineer, Project Services
> > >
> > > CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> > > Custom Computer Specialists, Inc.
> > >
> > > "It's not just about ending up where you want to be, it's about
making
> > > the most of the trip there."
> > > -Anonymous
> > >
> > >
> > >
> >

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:54 GMT-3