Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

how to stop broadcast,multicast

 

 

Cisco nsp RSS feed   Index | Next | Previous | View Threaded


vikassharmas at gmail

Feb 11, 2007, 8:53 AM

Post #1 of 9 (2977 views)
Permalink
how to stop broadcast,multicast

Hi,

I have 8 routers (not cisco routers) running ospf and connected to 6509
switch. 6509 is also running ospf and all are in the same ospf area. All
router are connected via VLAN to the switch i.e. we have created a vlan and
all links (from all 8 routers) are going in to that vlan. Now due to some
reason i want to stop inter communication between 8 routers (i.e only
broadcast). How can I achieve the same?

My thought process -

I can implement "protected ports" on the switch. But this will only help me
in not broadcasting within vlan and not reaching to other routers (protected
port stop broadcast, multicast, unicast between protected ports.). Once
packets are out of vlan (as ospf database is already there), broadcasted
packets will go back to routers....

Can I stop these broadcast packets to goback to routers? I can not use
access-list on the vlan interface as if any packet with mtu size more than
1500 byte come, access list will drop the 2nd onward packet (ACL drop
fregmented packets).

consider i want to stop packets for ports 135-139 and 445.

Regards
Vikas Sharma
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


shakeelahmad at gmail

Feb 11, 2007, 9:17 AM

Post #2 of 9 (2941 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

One option would be to use "broadcast storm" feature in IOS setting its
levels to extreme but it'll stop every broadcast - not sure how to do it on
tcp/udp port level.



On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:
>
> Hi,
>
> I have 8 routers (not cisco routers) running ospf and connected to 6509
> switch. 6509 is also running ospf and all are in the same ospf area. All
> router are connected via VLAN to the switch i.e. we have created a vlan
> and
> all links (from all 8 routers) are going in to that vlan. Now due to some
> reason i want to stop inter communication between 8 routers (i.e only
> broadcast). How can I achieve the same?
>
> My thought process -
>
> I can implement "protected ports" on the switch. But this will only help
> me
> in not broadcasting within vlan and not reaching to other routers
> (protected
> port stop broadcast, multicast, unicast between protected ports.). Once
> packets are out of vlan (as ospf database is already there), broadcasted
> packets will go back to routers....
>
> Can I stop these broadcast packets to goback to routers? I can not use
> access-list on the vlan interface as if any packet with mtu size more than
> 1500 byte come, access list will drop the 2nd onward packet (ACL drop
> fregmented packets).
>
> consider i want to stop packets for ports 135-139 and 445.
>
> Regards
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mahargk at gmail

Feb 11, 2007, 11:52 AM

Post #3 of 9 (2957 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:
> Hi,
>
> Now due to some reason i want to stop inter communication between
> 8 routers (i.e only broadcast). How can I achieve the same?

That 'some reason' would be pretty important in determining the proper solution.

That said, if all 8 are terminating on the same 6500, why not trash
the common VLAN and walk them over to L3 PtP links w/ the 6500? At
that point, "stopping broadcast and multicast" between them is
obviously implicit in the design.
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


vikassharmas at gmail

Feb 11, 2007, 10:03 PM

Post #4 of 9 (2931 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

Kevin,

In that case also since all routers and switches are in same ospf area, if a
broadcast packet come it will go to all routers. creating a seperate ptp
link might not help me..

Regards
Vikas Sharma


On 2/12/07, Kevin Graham <mahargk [at] gmail> wrote:
>
> On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:
> > Hi,
> >
> > Now due to some reason i want to stop inter communication between
> > 8 routers (i.e only broadcast). How can I achieve the same?
>
> That 'some reason' would be pretty important in determining the proper
> solution.
>
> That said, if all 8 are terminating on the same 6500, why not trash
> the common VLAN and walk them over to L3 PtP links w/ the 6500? At
> that point, "stopping broadcast and multicast" between them is
> obviously implicit in the design.
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


evans.584 at osu

Feb 12, 2007, 5:44 AM

Post #5 of 9 (2940 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

Instead of a vlan acl, can you create a port ACL that blocks those ports
and apply it to the 8 interfaces connected to the router?


Kyle

Vikas Sharma wrote:
> Hi,
>
> I have 8 routers (not cisco routers) running ospf and connected to 6509
> switch. 6509 is also running ospf and all are in the same ospf area. All
> router are connected via VLAN to the switch i.e. we have created a vlan and
> all links (from all 8 routers) are going in to that vlan. Now due to some
> reason i want to stop inter communication between 8 routers (i.e only
> broadcast). How can I achieve the same?
>
> My thought process -
>
> I can implement "protected ports" on the switch. But this will only help me
> in not broadcasting within vlan and not reaching to other routers (protected
> port stop broadcast, multicast, unicast between protected ports.). Once
> packets are out of vlan (as ospf database is already there), broadcasted
> packets will go back to routers....
>
> Can I stop these broadcast packets to goback to routers? I can not use
> access-list on the vlan interface as if any packet with mtu size more than
> 1500 byte come, access list will drop the 2nd onward packet (ACL drop
> fregmented packets).
>
> consider i want to stop packets for ports 135-139 and 445.
>
> Regards
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


mahargk at gmail

Feb 12, 2007, 6:17 AM

Post #6 of 9 (2936 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:


> In that case also since all routers and switches are in same ospf area, if a
> broadcast packet come it will go to all routers. creating a seperate ptp
> link might not help me..

I have a feeling LSA flooding and ethernet broadcasts are being confused here...

What is the condition you're trying to address?
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


vikassharmas at gmail

Feb 12, 2007, 8:15 PM

Post #7 of 9 (2937 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

Hi Kevin / Kyle,

There is no ethernet broadcast. I am in a CDMA network where users are
dialing using CDMA phone as a modem. Now since most of the laptops / PS have
windows, they broadcast packets on some particular ports like
135,136,137,137 and 445. Since OSPF is running on my edge router wher these
calls ar first getting connected, any broadcast message is reachable to all
IP pools defined over other 8 routers.

Kyle - Port ACL might not help as all connections are going to same vlan and
the connected switch is also running ospf with same process id. Anyway can
you pls tell me weather port acl is same as private vlans or protected
ports?

Regards
Vikas Sharma


On 2/12/07, Kevin Graham <mahargk [at] gmail> wrote:
>
> On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:
>
>
> > In that case also since all routers and switches are in same ospf area,
> if a
> > broadcast packet come it will go to all routers. creating a seperate ptp
> > link might not help me..
>
> I have a feeling LSA flooding and ethernet broadcasts are being confused
> here...
>
> What is the condition you're trying to address?
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


vikassharmas at gmail

Feb 14, 2007, 2:09 AM

Post #8 of 9 (2933 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

Hi Kyle,

We did implemented VACL (Vlan access control list) and we were able to curb
spurious packets. But the problem with ACL's is it drops the fregmented
packets. Thus we have to remove it.

Regards
Vikas Sharma


On 2/13/07, Kyle Evans <evans.584 [at] osu> wrote:
>
> I'm not sure if I'm missing something obvious here or not, but say you
> have your 8 routers connected to G0/1 - G0/8 on the 6500. Then couldn't you
> do something like this:
>
> ip access-list 101 deny tcp any any eq 135
> ip access-list 101 deny udp any any eq 135
> ip access-list 101 deny tcp any any eq 136
> ip access-list 101 deny udp any any eq 136
> ip access-list 101 deny tcp any any eq 137
> ip access-list 101 deny udp any any eq 137
> ip access-list 101 deny tcp any any eq 138
> ip access-list 101 deny udp any any eq 138
> ip access-list 101 deny tcp any any eq 139
> ip access-list 101 deny udp any any eq 139
> ip access-list 101 deny tcp any any eq 445
> ip access-list 101 deny udp any any eq 445
> ip access-list 101 permit ip any any
>
> Then on interfaces G0/1 through G0/8 put the following command
>
> ip access-group 101 in
>
>
> That should block all traffic coming into the 6500 on those ports.
>
>
>
> Kyle
>
>
>
>
> Vikas Sharma wrote:
>
> Hi Kevin / Kyle,
>
> There is no ethernet broadcast. I am in a CDMA network where users are
> dialing using CDMA phone as a modem. Now since most of the laptops / PS have
> windows, they broadcast packets on some particular ports like
> 135,136,137,137 and 445. Since OSPF is running on my edge router wher these
> calls ar first getting connected, any broadcast message is reachable to all
> IP pools defined over other 8 routers.
>
> Kyle - Port ACL might not help as all connections are going to same vlan
> and the connected switch is also running ospf with same process id. Anyway
> can you pls tell me weather port acl is same as private vlans or protected
> ports?
>
> Regards
> Vikas Sharma
>
>
> On 2/12/07, Kevin Graham <mahargk [at] gmail> wrote:
> >
> > On 2/11/07, Vikas Sharma <vikassharmas [at] gmail> wrote:
> >
> >
> > > In that case also since all routers and switches are in same ospf
> > area, if a
> > > broadcast packet come it will go to all routers. creating a seperate
> > ptp
> > > link might not help me..
> >
> > I have a feeling LSA flooding and ethernet broadcasts are being confused
> > here...
> >
> > What is the condition you're trying to address?
> >
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


vikassharmas at gmail

Feb 14, 2007, 11:22 PM

Post #9 of 9 (2927 views)
Permalink
Re: how to stop broadcast,multicast [In reply to]

All ACL will by default drop the fragmented packets. Yes you can enable the
feature to bypass the fragmented packets but that is firewall specific. our
IOS does not support that command.

Regards
Vikas Sharma


On 2/14/07, Kyle Evans <evans.584 [at] osu> wrote:
>
> Does it drop all fragmented packets? I think the ACL is supposed to
> process fragemented packets, and there is even a fragments keyword to help
> process them. Can you post what the ACL you are using is?
>
> Here is a link to some info on cisco's site about ACLs and fragmented
> packets:
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
>
> Kyle
>
>
>
> Vikas Sharma wrote:
>
> Hi Kyle,
>
> We did implemented VACL (Vlan access control list) and we were able to
> curb spurious packets. But the problem with ACL's is it drops the fregmented
> packets. Thus we have to remove it.
>
> Regards
> Vikas Sharma
>
>
> On 2/13/07, Kyle Evans <evans.584 [at] osu> wrote:
> >
> > I'm not sure if I'm missing something obvious here or not, but say you
> > have your 8 routers connected to G0/1 - G0/8 on the 6500. Then couldn't you
> > do something like this:
> >
> > ip access-list 101 deny tcp any any eq 135
> > ip access-list 101 deny udp any any eq 135
> > ip access-list 101 deny tcp any any eq 136
> > ip access-list 101 deny udp any any eq 136
> > ip access-list 101 deny tcp any any eq 137
> > ip access-list 101 deny udp any any eq 137
> > ip access-list 101 deny tcp any any eq 138
> > ip access-list 101 deny udp any any eq 138
> > ip access-list 101 deny tcp any any eq 139
> > ip access-list 101 deny udp any any eq 139
> > ip access-list 101 deny tcp any any eq 445
> > ip access-list 101 deny udp any any eq 445
> > ip access-list 101 permit ip any any
> >
> > Then on interfaces G0/1 through G0/8 put the following command
> >
> > ip access-group 101 in
> >
> >
> > That should block all traffic coming into the 6500 on those ports.
> >
> >
> >
> > Kyle
> >
> >
> >
> >
> > Vikas Sharma wrote:
> >
> > Hi Kevin / Kyle,
> >
> > There is no ethernet broadcast. I am in a CDMA network where users are
> > dialing using CDMA phone as a modem. Now since most of the laptops / PS have
> > windows, they broadcast packets on some particular ports like
> > 135,136,137,137 and 445. Since OSPF is running on my edge router wher these
> > calls ar first getting connected, any broadcast message is reachable to all
> > IP pools defined over other 8 routers.
> >
> > Kyle - Port ACL might not help as all connections are going to same vlan
> > and the connected switch is also running ospf with same process id. Anyway
> > can you pls tell me weather port acl is same as private vlans or protected
> > ports?
> >
> > Regards
> > Vikas Sharma
> >
> >
> > On 2/12/07, Kevin Graham <mahargk [at] gmail> wrote:
> > >
> > > On 2/11/07, Vikas Sharma < vikassharmas [at] gmail> wrote:
> > >
> > >
> > > > In that case also since all routers and switches are in same ospf
> > > area, if a
> > > > broadcast packet come it will go to all routers. creating a seperate
> > > ptp
> > > > link might not help me..
> > >
> > > I have a feeling LSA flooding and ethernet broadcasts are being
> > > confused here...
> > >
> > > What is the condition you're trying to address?
> > >
> >
> >
>
_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.