Re: Deny OSPF neighbor relationship using access list

From: Paul Cosgrove (paul.cosgrove@heanet.ie)
Date: Tue Jun 24 2008 - 12:10:10 ART

• Next message: ISolveSystems: "Re: Deny OSPF neighbor relationship using access list"
• Previous message: Tyson Scott: "Re: Deny OSPF neighbor relationship using access list"
• Maybe in reply to: ISolveSystems: "Deny OSPF neighbor relationship using access list"
• Next in thread: ISolveSystems: "Re: Deny OSPF neighbor relationship using access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

deny ospf to 224.0.0.5 and 224.0.0.6 (not .4)

bkvalentine@gmail.com wrote:
> I'm by no means a security expert. Try applying the ACL to the control plane. From what I understand, traffic to and from the asa can be filtered there. Traffic going through the asa goes can be filtered on the interfaces.
>
> Maybe a better way to accomplish this... Try making the interfaces passive in ospf and specify your specific neighbors. This would stop the asa from flooding out the multicast hellos and have it send unicast instead. At least we can do that on a router. I would assume you can also do this on the asa.
>
>
> Sent via BlackBerry from T-Mobile
>
> -----Original Message-----
> From: ISolveSystems <support@isolvesystems.com>
>
> Date: Tue, 24 Jun 2008 09:23:40
> To:"Cisco certification" <ccielab@groupstudy.com>, "Cisco certification" <security@groupstudy.com>
> Subject: Deny OSPF neighbor relationship using access list
>
>
> Hello Expert,
> I am trying to deny OSPF from forming relationship between ASAs. I tried
> the following without success. 1.1.1.1 is the neighbor IP address.
> 1.1.1.2is the local interface IP.
>
> access-list DMZ-IN extended deny ospf host 1.1.1.1 host 1.1.1.2
> access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.5
> access-list DMZ-IN extended deny ospf host 1.1.1.1 host 224.0.0.4
> access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.5
> access-list DMZ-IN extended deny ip host 1.1.1.1 host 224.0.0.4
>
> Any idea?
>
> Thanks.
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>

-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301
Please consider the environment before printing this e-mail.

• Next message: ISolveSystems: "Re: Deny OSPF neighbor relationship using access list"
• Previous message: Tyson Scott: "Re: Deny OSPF neighbor relationship using access list"
• Maybe in reply to: ISolveSystems: "Deny OSPF neighbor relationship using access list"
• Next in thread: ISolveSystems: "Re: Deny OSPF neighbor relationship using access list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART