From: John Matijevic (matijevi@bellsouth.net)
Date: Wed Aug 06 2003 - 16:44:35 GMT-3
Hello Kenneth,
One scenerio that I tested that is if you have passive-interface and a
neighbor statement, your not going to be able to establish adjacency with
your neighbor. And your not going to see your neighbor.
If you just use the neighbor command you will send and receive unicast
traffic, this command has to be on both sides, and again I tested with and
without passive-interface.
Sincerely,
Matijevic
----- Original Message -----
From: "Kenneth Wygand" <KWygand@customonline.com>
To: "John Hopkins" <ccie1234@hotmail.com>; <matijevi@bellsouth.net>;
<ccielab@groupstudy.com>
Sent: Wednesday, August 06, 2003 2:33 PM
Subject: RE: Access-list for EIGRP traffic...
> John,
>
> Yes, you are correct. You know what's funny? According to Cisco's DOC
> CD (12.3), if you don't use the "neighbor" EIGRP command in combination
> with the "passive-interface" command, then the updates should be unicast
> to the neighbor, but also multicast to 224.0.0.10. However, I tried
> this in my lab and to my surprise, as soon as I enabled the neighbor
> command I could see the multicast updates stop sending out the interface
> to which my designated neighbor is attached.
>
> Any ideas, or can someone else test this in their environment? I'm
> using Enterprise IOS Version 12.2(1d) on a 2503 router.
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> Custom Computer Specialists, Inc.
> "It's not just about ending up where you want to be, it's about making
> the most of the trip there."
> -Anonymous
>
> -----Original Message-----
> From: John Hopkins [mailto:ccie1234@hotmail.com]
> Sent: Wednesday, August 06, 2003 2:09 PM
> To: matijevi@bellsouth.net; Kenneth Wygand; ccielab@groupstudy.com
> Subject: Re: Access-list for EIGRP traffic...
>
> I think that the technology that they'd like you to use is EIGRP Unicast
>
> Updates.
>
>
> ****************************************
>
> Configuring EIGRP Unicast Updates:
>
>
> R1#
> Conf ter
>
> Interface E0
> IP address 151.60.120.12 255.255.255.0
>
>
> Router Eigrp 100
> network 151.60.120.0 0.0.0.255
> network 116.116.116.0 0.0.0.255
> neighbor 151.60.120.45 e0
> end
>
>
>
>
>
>
> >From: "John Matijevic" <matijevi@bellsouth.net>
> >Reply-To: "John Matijevic" <matijevi@bellsouth.net>
> >To: "Kenneth Wygand" <KWygand@customonline.com>,
> <ccielab@groupstudy.com>
> >Subject: Re: Access-list for EIGRP traffic...
> >Date: Wed, 6 Aug 2003 12:21:40 -0400
> >
> >HelloKenneth,
> >You are correct,
> >The passive-interface for Eigrp blocks the mulitcast updates, it
> supresses
> >the eigrp hello packets, and will not allow a neighborship to form. It
> >suppresses outoing routing updates as well as incoming routing updates.
> You
> >can still form an adjacency by using a distribute-list to allow
> incoming
> >updates.
> >Thanks for sharing the scenerio.
> >Sincerely,
> >Matijevic
> >----- Original Message -----
> >From: "Kenneth Wygand" <KWygand@customonline.com>
> >To: "John Matijevic" <matijevi@bellsouth.net>; <ccielab@groupstudy.com>
> >Sent: Wednesday, August 06, 2003 11:33 AM
> >Subject: RE: Access-list for EIGRP traffic...
> >
> >
> > > John,
> > >
> > > Yes, I am referring to a specific scenario, but not a specific
> practice
> > > lab. I am referring to a requirement similar to the following:
> > >
> > > R1 (serial) <--> (serial) R2 (ethernet)
> > >
> > > "Place R2's ethernet network in the EIGRP routing process running
> > > between R1 and R2. Have EIGRP updates reach neighbor x.x.x.x on
> R2's
> > > switched ethernet segment, but keep EIGRP multicasts from exiting
> R2's
> > > Ethernet interface in an attempt to prevent updates from flowing to
> > > mischievous users on R2's switched ethernet segment sitting on the
> LAN
> > > with a packet sniffer."
> > >
> > > In this case, it seems to me that "passive-interface" simply blocks
> the
> > > multicast updates and does nothing more. Is there any additional
> > > functionality of configuring "passive-interface" that I am not aware
> of?
> > >
> > > Kenneth E. Wygand
> > > Systems Engineer, Project Services
> > > CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> > > Custom Computer Specialists, Inc.
> > > "It's not just about ending up where you want to be, it's about
> making
> > > the most of the trip there."
> > > -Anonymous
> > >
> > > -----Original Message-----
> > > From: John Matijevic [mailto:matijevi@bellsouth.net]
> > > Sent: Wednesday, August 06, 2003 11:25 AM
> > > To: Kenneth Wygand; ccielab@groupstudy.com
> > > Subject: Re: Access-list for EIGRP traffic...
> > >
> > > Hello Kenneth,
> > > The access-list you mentioned will block all eigrp traffic.
> > > As far as using the passive-interface command, you really dont need
> to
> > > use
> > > it since EIGRP is a classless protocol, you can define the network
> you
> > > want
> > > to, using the appropriate wild card bits. Is there a specific
> scenrio
> > > that
> > > requires you to use passive-interface under EIGRP?
> > > Sincerley,
> > > Matijevic
> > > ----- Original Message -----
> > > From: "Kenneth Wygand" <KWygand@customonline.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Wednesday, August 06, 2003 11:12 AM
> > > Subject: Access-list for EIGRP traffic...
> > >
> > >
> > > > When denying EIGRP traffic as interesting on an ISDN line, if you
> > > simply
> > > > put:
> > > >
> > > >
> > > >
> > > > Access-list 100 deny eigrp any any
> > > >
> > > >
> > > >
> > > > Does this block eigrp at the protocol field level, as opposed to a
> > > > packet destination IP address of 224.0.0.10?
> > > >
> > > >
> > > >
> > > > If so, then this access list should also block unicast updates as
> per
> > > > neighbor statements in the EIGRP process configuration as well.
> > > >
> > > >
> > > >
> > > > Furthermore, declaring an interface passive appears to only block
> > > > multi/broadcast network advertisements from leaving that
> interface,
> > > but
> > > > specific neighbors can still be specified with neighbor statements
> and
> > > > protocol updates will then flow via unicast instead, independent
> of
> > > the
> > > > "passive-interface" command.
> > > >
> > > >
> > > >
> > > > Can anyone confirm these thoughts?
> > > >
> > > >
> > > >
> > > > Kenneth E. Wygand
> > > > Systems Engineer, Project Services
> > > >
> > > > CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> > > > Custom Computer Specialists, Inc.
> > > >
> > > > "It's not just about ending up where you want to be, it's about
> making
> > > > the most of the trip there."
> > > > -Anonymous
> > > >
> > > >
> > > >
> > >
> _______________________________________________________________________
> > > > You are subscribed to the GroupStudy.com CCIE R&S Discussion
> Group.
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> _______________________________________________________________________
> > > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >_______________________________________________________________________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:54 GMT-3