[nsp] Securing OSPF

Matt Stockdale mstockda at logicworks.net
Wed Jun 23 02:48:46 EDT 2004


I'm trying to clean up an OSPF mess I've inherited, and I was curious-

What are you all doing to secure your OSPF (or igrp/rip/etc, I suppose)?
Just setting md5 keys on everything and calling it a day? Or are you
using default passive interfaces and only running ospf on the necessary
links? Both?

I've basically got a single OSPF area where routing information for 3
superblocks (2 /19's and an /18) is exchanged over routers all
configured w/ an ospf network of a single class C, resulting in 95% of
the routes being OSPF external type 2. I figure the solution is to add
all of the network space to the 5 or 6 different OSPF speaking devices'
ospf instances, and use ospf passive-interface default on our hybrid
6500s and CT3 T1 aggregator to avoid speaking/receiving OSPF to the 200
or so connected subnets.

This seems like a good idea to me, but it is 2:45am here. Can anyone
sanity-check my thoughts?

Also, is there a better searchable cisco-nsp archive than the offical
one at https://puck.nether.net/pipermail/cisco-nsp/? For all I know,
this has been answered before.


More information about the cisco-nsp mailing list