Re: Access-list for EIGRP traffic...

From: John Matijevic (matijevi@bellsouth.net)
Date: Wed Aug 06 2003 - 13:21:40 GMT-3

• Next message: Jason Cash: "RE: DLSW border peers with only 1 group?"
• Previous message: John Hopkins: "Re: DLSW border peers with only 1 group?"
• Maybe in reply to: Kenneth Wygand: "Access-list for EIGRP traffic..."
• Next in thread: Kenneth Wygand: "RE: Access-list for EIGRP traffic..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HelloKenneth,
You are correct,
The passive-interface for Eigrp blocks the mulitcast updates, it supresses
the eigrp hello packets, and will not allow a neighborship to form. It
suppresses outoing routing updates as well as incoming routing updates. You
can still form an adjacency by using a distribute-list to allow incoming
updates.
Thanks for sharing the scenerio.
Sincerely,
Matijevic
----- Original Message -----
From: "Kenneth Wygand" <KWygand@customonline.com>
To: "John Matijevic" <matijevi@bellsouth.net>; <ccielab@groupstudy.com>
Sent: Wednesday, August 06, 2003 11:33 AM
Subject: RE: Access-list for EIGRP traffic...

> John,
>
> Yes, I am referring to a specific scenario, but not a specific practice
> lab. I am referring to a requirement similar to the following:
>
> R1 (serial) <--> (serial) R2 (ethernet)
>
> "Place R2's ethernet network in the EIGRP routing process running
> between R1 and R2. Have EIGRP updates reach neighbor x.x.x.x on R2's
> switched ethernet segment, but keep EIGRP multicasts from exiting R2's
> Ethernet interface in an attempt to prevent updates from flowing to
> mischievous users on R2's switched ethernet segment sitting on the LAN
> with a packet sniffer."
>
> In this case, it seems to me that "passive-interface" simply blocks the
> multicast updates and does nothing more. Is there any additional
> functionality of configuring "passive-interface" that I am not aware of?
>
> Kenneth E. Wygand
> Systems Engineer, Project Services
> CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> Custom Computer Specialists, Inc.
> "It's not just about ending up where you want to be, it's about making
> the most of the trip there."
> -Anonymous
>
> -----Original Message-----
> From: John Matijevic [mailto:matijevi@bellsouth.net]
> Sent: Wednesday, August 06, 2003 11:25 AM
> To: Kenneth Wygand; ccielab@groupstudy.com
> Subject: Re: Access-list for EIGRP traffic...
>
> Hello Kenneth,
> The access-list you mentioned will block all eigrp traffic.
> As far as using the passive-interface command, you really dont need to
> use
> it since EIGRP is a classless protocol, you can define the network you
> want
> to, using the appropriate wild card bits. Is there a specific scenrio
> that
> requires you to use passive-interface under EIGRP?
> Sincerley,
> Matijevic
> ----- Original Message -----
> From: "Kenneth Wygand" <KWygand@customonline.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, August 06, 2003 11:12 AM
> Subject: Access-list for EIGRP traffic...
>
>
> > When denying EIGRP traffic as interesting on an ISDN line, if you
> simply
> > put:
> >
> >
> >
> > Access-list 100 deny eigrp any any
> >
> >
> >
> > Does this block eigrp at the protocol field level, as opposed to a
> > packet destination IP address of 224.0.0.10?
> >
> >
> >
> > If so, then this access list should also block unicast updates as per
> > neighbor statements in the EIGRP process configuration as well.
> >
> >
> >
> > Furthermore, declaring an interface passive appears to only block
> > multi/broadcast network advertisements from leaving that interface,
> but
> > specific neighbors can still be specified with neighbor statements and
> > protocol updates will then flow via unicast instead, independent of
> the
> > "passive-interface" command.
> >
> >
> >
> > Can anyone confirm these thoughts?
> >
> >
> >
> > Kenneth E. Wygand
> > Systems Engineer, Project Services
> >
> > CISSP #37102, CCNP, CCDP, MCP 2000, CNA 5.1, Network+, A+
> > Custom Computer Specialists, Inc.
> >
> > "It's not just about ending up where you want to be, it's about making
> > the most of the trip there."
> > -Anonymous
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jason Cash: "RE: DLSW border peers with only 1 group?"
• Previous message: John Hopkins: "Re: DLSW border peers with only 1 group?"
• Maybe in reply to: Kenneth Wygand: "Access-list for EIGRP traffic..."
• Next in thread: Kenneth Wygand: "RE: Access-list for EIGRP traffic..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:54 GMT-3