From: Varghese Thomas (vnthomas2@hotmail.com)
Date: Wed Nov 12 2003 - 14:07:59 GMT-3
Hello Darrel,
thanks for your inputs and comments added.
1. Both routers are connected via a corss-cable and each LAN segment is a
separate collision & broadcast domain.
2. Rest of the interfaces do not have cables connected, but 'no keepalive'
configured on those interfaces
3. IMHO, both ip redirect & proxy-arp are not relevant here; Anyway, I
disabled them, but still both routers respond to broadcast pings
4. All routers have ip directed-broadcast disabled by default.
Any input on this would be highly appreicated.
Tx n Rd
----- Original Message -----
From: Darrell Burnett
To: Varghese Thomas ; ccielab@groupstudy.com
Sent: Wednesday, November 12, 2003 10:05 AM
Subject: Re: IP directed-broadcast
Thomas,
1. When you ping are you pinging from 172.16.1.0?
2. What do your collision domains/broadcast domains look like?
Are all interfaces plugged into the same hub/switch?
If all interfaces are plugged into the same switch, are the
respected
interfaces segregated into VLANs?
3. When you want directed-broadcasts contained, it is usually a good idea
to
also issue "no ip redirects" (if all of your interfaces are in the same
collision domain this could be the issue for the 12.2.15T5 code), and also
issue the command "no ip proxy-arp". Resolve all host based forwarding
issues
by assigning default gateways at the host, or use "ip helper-address"
command.
4. Chances are your 12.2.8T5(IP/FW/IDS PLUS IPSEC 3DES) code is also
disabling
ip redirects by default.
Darrell
----- Original Message -----
From: Varghese Thomas
To: ccielab@groupstudy.com
Sent: Tuesday, November 11, 2003 12:56 PM
Subject: IP directed-broadcast
Hello
I have following setup with all interfaces disabled for ip
direct-broadcast
and routers are running 12.2.15T5
--e0(172.16.1.0/24)-Router1-e1--(172.16.12.0/24)--
e0-Router2---e1(172.16.2.0/24).
When I ping from Router1 to either 172.16.2.0 or 172.16.2.255, Router2
responds and vice-versa; when Router2 pings eihter 172.16.1.0 or
172.16.1.255,
Router1 responds.
I was told the following - If the destination network is directly
attached
and
ip forward directed-broadcasts is disabled then the router replies on
behalf
of the subnet but does not forward the broadcast out onto the subnet.
However I have another router running 12.2.8T5(IP/FW/IDS PLUS IPSEC 3DES)
which does not respond to such broad-cast addresses.
Which is normal behaviour? If it is not normal that router should respond
to
such ping request, how can I block it without using specific ACLs?
Thanks in advnace.
Tx n RD
_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:11 GMT-3