Re: Problem in restrcting a Device to Intercept EIGRP updates

From: Derek Pocoroba (dpocoroba@gmail.com)
Date: Thu Feb 07 2008 - 05:59:45 ARST

• Next message: subodh.rawat@wipro.com: "RE: CCIE #19956 - first go!"
• Previous message: Kiran Parashare: "Help to config Dynamips"
• Maybe in reply to: Anshuk Kesarwani: "Problem in restrcting a Device to Intercept EIGRP updates"
• Next in thread: steveaggie@gmail.com: "RE: Problem in restrcting a Device to Intercept EIGRP updates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anshuk,

You could look into using a combination of an ACL, Static MAC and disabling
IGMP snooping. The function of IGMP snooping is to detect what ports will
need multicast. If you turn it off you can statically configure what ports
will get the EIGRP updates in this case. Something along these lines.

!
no ip igmp snooping vlan 1
!
interface FastEthernet0/10
ip access-group EIGRP_DENY in
!
mac-address-table static 0100.5e00.000a vlan 1 interface FastEthernet0/11
FastEthernet0/12
!
ip access-list extended EIGRP_DENY
deny eigrp any any
permit ip any any

0100.5e00.000a maps to the multicast MAC address for 224.0.0.10

Its not a easy workout but something to add to your bag of tricks.

HTH

On Feb 5, 2008 1:55 AM, Anshuk Kesarwani <anshuk.ccie@gmail.com> wrote:

> Hi ,
>
> I come across a scenario in which i was needed to restict Interceepting of
> EIGRP updates by backbone router without using neighbor command.
>
> Scenario is Backbone is connected on Ethernet with many routers in EIGRP
> domain. and we want to restrict only Backbone from interceting the EIGRP
> packets
>
> I mean I have few solutions in mind please comment whthere they are corect
> or not
>
> 1) I can use authentication on all the routers this will stop Backbone frm
> getting the EIGRP updates. But Backbone is getting the EIGRP updates in
> this
> case. The only fact is that is in Encrypted format. Which i think may b a
> wrong solution as Backbone is recieving the Updates though it is not able
> to
> install routes.
>
> 2) I thought of putting vlan access-map and dropping EIGRP packets to IP
> of
> backbone in the vlan in which all the routers are. Then there is problem
> that the EIGRP updates are sent to Multicast address not as Unicast. Again
> I
> am confused as nw this will also nt solve the purpose.
>
> 3) I can think of just putting an extended *access list deny eigrp
> any any*and putting to the port where the Backbone is connected.
>
>
> I may sound a bit confused to a few of you.
>
> Please pour in your valuable comments .
>
> Regards
>
> Anshuk Kesarwani
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Derek Pocoroba
CCIE #18559

• Next message: subodh.rawat@wipro.com: "RE: CCIE #19956 - first go!"
• Previous message: Kiran Parashare: "Help to config Dynamips"
• Maybe in reply to: Anshuk Kesarwani: "Problem in restrcting a Device to Intercept EIGRP updates"
• Next in thread: steveaggie@gmail.com: "RE: Problem in restrcting a Device to Intercept EIGRP updates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:47 ARST