S5720EI and blocking OSPF on access ports

Created Apr 12, 2016 22:34:55Latest reply Apr 13, 2016 17:52:20 1637 3 0 0

Hi everyone

I'm experimenting and I have a question about OSPF on a L3 Switch (S5720). If I want to implement OSPF on a S5720 to interconnect VLANIFs, which way ist the BEST way to secure normal access (terminal or client facing) ports, like g0/0/x from forming adjacenties (attacks)?

Using silent-interface on g0/0/x?
Creating an ACL and filtering the OSPF Multicast Group on g0/0/x?
Enable authentication hmac-sha256 for OSPF?
All? Other?

Thank you for your input.

  • x
  • convention:

lizhuzhu     Created Apr 13, 2016 10:03:22 Helpful(0) Helpful(0)

I think you want to avoid access ports sending or recieving OSPF, right?

You can create ACL to filter OSPF packets.

  • x
  • convention:

edv_tj     Created Apr 13, 2016 13:48:00 Helpful(0) Helpful(0)

"I think you want to avoid access ports sending or recieving OSPF, right?"

Yes. I was wondering if there was another mechanism of controlling where HELLOs get sent out.
But if an ACL is the only way to stop it, I'll do it with an ACL.

Implementing authentication seems like a good thing to do, too.

Thank you!

  • x
  • convention:

edv_tj     Created Apr 13, 2016 17:52:20 Helpful(0) Helpful(0)

Here is my experimantal setup and how I tried it:

Ports 1-12: In Vlan 10 with VLANIF10 and IP 192.168.1.1 26
Ports 13-24: In Vlan 20 with VLANIF20  and IP 192.168.1.65 26
Ports 25-36 In Vlan 30 with VLANIF30  and IP 192.168.1.129 26
Ports 37-48 In Vlan 40 with VLANIF40  and IP 192.168.1.193 26
XGigabitEthernet0/0/1 with IP 172.16.1.1 30 NBMA to other switch.

So, I pratitioned the switch L3 wise.

Everything works in this experiment. But, the VLANIFs are spilling OSPF HELLOs on each port in their VLAN. (e.g. g0/0/3) I wanted to stop that.

I set an extended ACL with a rule to deny OSPF (rule deny ospf). I set a traffic classifier (if-match acl 3000), behavior (deny, denied already by ACL) and then I put everything in a traffic policy.

I applied the traffic policy directly to g0/0/1 inbound and outbound for this experiment. Guess what: It did not work.
It works when I apply the traffic-policy to VLAN10 outgoing.

Is there a flow chart available which shows when and how traffic-policies are applied?

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top