S5720EI and blocking OSPF on access ports

Latest reply: Apr 13, 2016 09:52:20 1831 3 0 0

Hi everyone

I'm experimenting and I have a question about OSPF on a L3 Switch (S5720). If I want to implement OSPF on a S5720 to interconnect VLANIFs, which way ist the BEST way to secure normal access (terminal or client facing) ports, like g0/0/x from forming adjacenties (attacks)?

Using silent-interface on g0/0/x?
Creating an ACL and filtering the OSPF Multicast Group on g0/0/x?
Enable authentication hmac-sha256 for OSPF?
All? Other?

Thank you for your input.

  • x
  • convention:

lizhuzhu
Created Apr 13, 2016 02:03:22 Helpful(0) Helpful(0)

I think you want to avoid access ports sending or recieving OSPF, right?

You can create ACL to filter OSPF packets.

  • x
  • convention:

edv_tj
Created Apr 13, 2016 05:48:00 Helpful(0) Helpful(0)

"I think you want to avoid access ports sending or recieving OSPF, right?"

Yes. I was wondering if there was another mechanism of controlling where HELLOs get sent out.
But if an ACL is the only way to stop it, I'll do it with an ACL.

Implementing authentication seems like a good thing to do, too.

Thank you!

  • x
  • convention:

edv_tj
Created Apr 13, 2016 09:52:20 Helpful(0) Helpful(0)

Here is my experimantal setup and how I tried it:

Ports 1-12: In Vlan 10 with VLANIF10 and IP 192.168.1.1 26
Ports 13-24: In Vlan 20 with VLANIF20  and IP 192.168.1.65 26
Ports 25-36 In Vlan 30 with VLANIF30  and IP 192.168.1.129 26
Ports 37-48 In Vlan 40 with VLANIF40  and IP 192.168.1.193 26
XGigabitEthernet0/0/1 with IP 172.16.1.1 30 NBMA to other switch.

So, I pratitioned the switch L3 wise.

Everything works in this experiment. But, the VLANIFs are spilling OSPF HELLOs on each port in their VLAN. (e.g. g0/0/3) I wanted to stop that.

I set an extended ACL with a rule to deny OSPF (rule deny ospf). I set a traffic classifier (if-match acl 3000), behavior (deny, denied already by ACL) and then I put everything in a traffic policy.

I applied the traffic policy directly to g0/0/1 inbound and outbound for this experiment. Guess what: It did not work.
It works when I apply the traffic-policy to VLAN10 outgoing.

Is there a flow chart available which shows when and how traffic-policies are applied?

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login