As Louis sais he still sees EIGRP hello's even after making the
interfaces passive.
I have to lab that up to be sure :-)
--
Regards,
Rick Mur
CCIE2 #21946 (R&S / Service Provider)
Juniper JNCIA-ER & JNCIA-EX
MCSA:Messaging, MCSE
Sr. Support Engineer – IPexpert, Inc.
URL: http://www.IPexpert.com
On 20 aug 2009, at 18:57, prakash patel wrote:
correction
Hellos are generated by eigrp but ACL prevented them.
From: [email protected]
To: [email protected]; [email protected]
Date: Thu, 20 Aug 2009 12:50:09 -0400
CC: [email protected]
Subject: Re: [OSL | CCIE_RS] How to disable EIGRP hellos?
Here is 2 cents
Passive is the real disable ( no generation of hello packet)
ACL is for just preventing to get the hellos packets out . Hellos
are generated by ACL but prevented.
> From: [email protected]
> To: [email protected]
> Date: Thu, 20 Aug 2009 18:19:06 +0200
> CC: [email protected]
> Subject: Re: [OSL | CCIE_RS] How to disable EIGRP hellos?
>
> Then it's not possible by any regular feature to disable hello's.
It's
> not really a risk since when making it passive it will never form a
> neighbor on that segment and there is not really much information in
> the hello's that could be a security risk.
>
> If you really want to disable it a redistribute connected with a
route-
> map to specify the interfaces would work or an access-list
outgoing on
> the interface with a 'deny eigrp any any'.
>
>
> --
> Regards,
>
> Rick Mur
> CCIE2 #21946 (R&S / Service Provider)
> Juniper JNCIA-ER & JNCIA-EX
> MCSA:Messaging, MCSE
> Sr. Support Engineer – IPexpert, Inc.
> URL: http://www.IPexpert.com
>
> On 20 aug 2009, at 18:09, Louis S wrote:
>
> > That's what I thought, but after putting on passive-interface on
> > user facing port and then sniffing on that port, I can still see
> > EIGRP HELLO's
> >
> > --- On Thu, 8/20/09, Rick Mur <[email protected]> wrote:
> >
> >> From: Rick Mur <[email protected]>
> >> Subject: Re: [OSL | CCIE_RS] How to disable EIGRP hellos?
> >> To: "Louis S" <[email protected]>
> >> Cc: "osl" <[email protected]>
> >> Date: Thursday, August 20, 2009, 11:59 AM
> >> Passive-interface should be enough
> >> for disabling sending hello's as the hello's are part of the
> >> neighbor relationship process. If there is no need for
> >> redistribution I wouldn't do it. Try debug ip packet to see
> >> on which interfaces EIGRP packets are sent out (packets with
> >> protocol number 88).
> >>
> >>
> >> --Regards,
> >>
> >> Rick Mur
> >> CCIE2 #21946 (R&S / Service Provider)
> >> Juniper JNCIA-ER & JNCIA-EX
> >> MCSA:Messaging, MCSE
> >> Sr. Support Engineer – IPexpert, Inc.
> >> URL: http://www.IPexpert.com
> >>
> >> On 20 aug 2009, at 17:25, Louis S wrote:
> >>
> >>> Hi all,
> >>>
> >>> I can't remember there being an option for this but
> >> wanted to double-check here.
> >>>
> >>> If you run Layer3 to the access-layer, is there a way
> >> to disable EIGRP hello's being sent to user ports? I
> >> tried passive-interface which will prevent neighbor's from
> >> forming but can't remember how to disable hello's being
> >> sent.
> >>>
> >>> The only thing I could think would be only enabling
> >> EIGRP on the uplink ports to the distribution and instead of
> >> putting user subnet in EIGRP via the network command,
> >> redistribute connected networks and maybe that will stop
> >> users from hearing hellos.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> For more information regarding industry leading CCIE
> >> Lab training, please visit www.ipexpert.com
> >>
> >>
> >
> >
> >
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
Get back to school stuff for them and cashback for you. Try Bing™ now.
With Windows Live, you can organize, edit, and share your photos.
Click here.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
