[c-nsp] how to stop broadcast,multicast

Vikas Sharma vikassharmas at gmail.com
Wed Feb 14 05:09:59 EST 2007 

Hi Kyle,

We did implemented VACL (Vlan access control list) and we were able to curb
spurious packets. But the problem with ACL's is it drops the fregmented
packets. Thus we have to remove it.

Regards
Vikas Sharma


On 2/13/07, Kyle Evans <evans.584 at osu.edu> wrote:
>
> I'm not sure if I'm missing something obvious here or not, but say you
> have your 8 routers connected to G0/1 - G0/8 on the 6500.  Then couldn't you
> do something like this:
>
> ip access-list 101 deny tcp any any eq 135
> ip access-list 101 deny udp any any eq 135
> ip access-list 101 deny tcp any any eq 136
> ip access-list 101 deny udp any any eq 136
> ip access-list 101 deny tcp any any eq 137
> ip access-list 101 deny udp any any eq 137
> ip access-list 101 deny tcp any any eq 138
> ip access-list 101 deny udp any any eq 138
> ip access-list 101 deny tcp any any eq 139
> ip access-list 101 deny udp any any eq 139
> ip access-list 101 deny tcp any any eq 445
> ip access-list 101 deny udp any any eq 445
> ip access-list 101 permit ip any any
>
> Then on interfaces G0/1 through G0/8 put the following command
>
> ip access-group 101 in
>
>
> That should block all traffic coming into the 6500 on those ports.
>
>
>
> Kyle
>
>
>
>
> Vikas Sharma wrote:
>
> Hi Kevin / Kyle,
>
> There is no ethernet broadcast. I am in a CDMA network where users are
> dialing using CDMA phone as a modem. Now since most of the laptops / PS have
> windows, they broadcast packets on some particular ports like
> 135,136,137,137 and 445. Since OSPF is running on my edge router wher these
> calls ar first getting connected, any broadcast message is reachable to all
> IP pools defined over other 8 routers.
>
> Kyle - Port ACL might not help as all connections are going to same vlan
> and the connected switch is also running ospf with same process id. Anyway
> can you pls tell me weather port acl is same as private vlans or protected
> ports?
>
> Regards
> Vikas Sharma
>
>
> On 2/12/07, Kevin Graham <mahargk at gmail.com> wrote:
> >
> > On 2/11/07, Vikas Sharma <vikassharmas at gmail.com> wrote:
> >
> >
> > > In that case also since all routers and switches are in same ospf
> > area, if a
> > > broadcast packet come it will go to all routers. creating a seperate
> > ptp
> > > link might not help me..
> >
> > I have a feeling LSA flooding and ethernet broadcasts are being confused
> > here...
> >
> > What is the condition you're trying to address?
> >
>
>

More information about the cisco-nsp mailing list