RE: IP Directed-Broadcast

From: Scott Morris (smorris@internetworkexpert.com)
Date: Tue Dec 16 2008 - 12:19:18 ARST

Next message: Suryakant P: "Class based shaping Query"
Previous message: Roger RPF: "AW: IP Directed-Broadcast"
Maybe in reply to: John Edom: "IP Directed-Broadcast"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

But at every point OTHER than the ending router, that packet is NOT a
broadcast... It's just an IP packet. Only the ending station knows it's a
broadcast.

Think about summarization and supernetting. You have have a bunch of /28
LANs in your network. If you advertise a /22 out to your business partners,
they may know what the broadcast of THAT network is, but they have no idea
whether any other address is actually a broadcast or just a host IP.

Now, you COULD filter at your edge links anything destined for each link's
broadcast address, but that's something you'd need to constantly update and
keep up with.

HTH,

Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
Senior CCIE Instructor

smorris@internetworkexpert.com

Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......

-----Original Message-----
From: Roger RPF [mailto:rpf@bluemail.ch]
Sent: Tuesday, December 16, 2008 9:10 AM
To: 'Scott Morris'; 'John Edom'; 'Cisco certification'
Subject: AW: IP Directed-Broadcast

Hi Scott,

But to me, the strange stuff with this command is, that the ACL is
implemented on the destination network, where the broadcast will be sent to.
So o.k., that protects that particular network but if someone is doing an
attack, these broadcast are still sent over the whole network....and then
get dropped at the destination (in the ACL).

Somehow, it would be better to already block these unwanted directed
broadcast somehow on the source, isn't it? But there is no possibility to do
that...not?

regards

Roger

-----Urspr|ngliche Nachricht-----
Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag von
Scott Morris
Gesendet: Dienstag, 16. Dezember 2008 05:29
An: 'John Edom'; 'Cisco certification'
Betreff: RE: IP Directed-Broadcast

The doc CD notes "Standard access list number in the range from 1 to 199. If
specified, a broadcast must pass the access list to be forwarded. "

So following that logic... You are putting a restriction such that only
SOME directed broadcasts (e.g. from trusted sources) would be allowed.
Anyone else, presumably attacking your network, would still be denied.

Thus, to open up this functionality for particular problem solutions
(multicast helpers?) you are not also opening up your network to a large
security hole.

HTH,

Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
Senior CCIE Instructor

smorris@internetworkexpert.com

Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
Edom
Sent: Monday, December 15, 2008 11:18 PM
To: Cisco certification
Subject: IP Directed-Broadcast

Hi,

Anyone explain me when and why we use ACL with command "ip
directed-broacast". I try to grab the concept of this from universcd but
couldnt.