From: Arun Arumuganainar (aarumuga@hotmail.com)
Date: Fri Nov 11 2005 - 05:38:45 GMT-3
Hi all ,
I think Cisco recommends only access list solution !!
Pls. see the security alert posted on CCO . The Alert talks about a
vulnerability that arise when more 255 host try to establish Neighbor
relationship with router . This has the potential to bring down the router .
http://www.cisco.com/en/US/tech/tk365/technologies_security_advisory09186a00
8014ac50.shtml
Solution : Drop all the unwanted hello packets !!! This is the crux of
question . I sincerely believe the designer of the question must have taken
a lead from this alert .
Hence ACL is the working solution and it is also recommended by CISCO .
Thanks and Regards
Arun
> -----Original Message-----
> From: "De Witt, Duane" <duane.dewitt@siemens.com>
> To: "Jaycee Cockburn - BCX SS" <Jaycee.Cockburn@bcx.co.za>, "Leigh
> Harrison" <ccileigh@gmail.com>
> Date: Thu, 10 Nov 2005 14:58:44 +0200
> Subject: RE: OSPF Hello's
>
> So we're back to one solution which is the access-list on SW2. Thanks
> for the clarification :)
>
> -----Original Message-----
> From: Jaycee Cockburn - BCX SS [mailto:Jaycee.Cockburn@bcx.co.za]
> Sent: 10 November 2005 01:48 PM
> To: De Witt, Duane; Leigh Harrison
> Cc: Cisco certification
> Subject: RE: OSPF Hello's
> Importance: High
>
> Hi All,
> Bad news, database-filter doesn't filter hello packets, only LSA's...
> You can test it quickly, enable it on an ethernet and check the neighbor
> relations go down and then up again...
>
> Sorry, but good thought process!
> Had me thinking too....
> Cheers
> JC
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> De Witt, Duane
> Sent: 10 November 2005 01:25 PM
> To: Leigh Harrison
> Cc: Cisco certification
> Subject: RE: OSPF Hello's
>
> Hi
>
> Thanks. I think that the database-filter would be better than setting
> non-broadcast, but the access-list is probably the best way. At least I
> know a few ways of doing this now :)
>
> -----Original Message-----
> From: Leigh Harrison [mailto:ccileigh@gmail.com]
> Sent: 10 November 2005 01:20 PM
> To: De Witt, Duane
> Cc: Cisco certification
> Subject: Re: OSPF Hello's
>
> Hey there Duane,
>
> There are 2 ways of doing this (actually, there are probably loads, but
> 2 that I know of) on a switch.
>
> Use an access-list to stop the packets going through.
> Use "ip ospf database-filter all out"
>
> Have a crack at setting it to non-broadcast though - that /should/ do
> it.
>
> LH
>
> De Witt, Duane wrote:
>
> >Hi Group
> >
> >
> >
> >In IEWB V2 Lab4 5.13-15:
> >
> >
> >
> >Do not allow hosts in VLAN3 to intercept R3's OSPF hello packets and do
>
> >not use passive-interface.
> >
> >
> >
> >The suggested solution is an access-list on SW2 to deny OSPF on R3's
> >interface.
> >
> >
> >
> >Would another solution be to set the FE interface on R3 to
> >non-broadcast?
> >
> >
> >
> >Regards
> >
> >Duane
> >
> >
> >
> >____________________________________________
> >SIEMENS Siemens Business Services
> > Siemens Service Center
> >
> >126 14th Road
> >
> >Erand Gardens
> >
> >Midrand
> >
> >South Africa
> >
> >
> >
> >* +27 11 5452555
> >* +27 83 4452768
> >* +27 11 5415219
> >* duane.dewitt@siemens.com <mailto:duane.dewitt@siemens.com>
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3