[c-nsp] how to stop broadcast,multicast

Vikas Sharma vikassharmas at gmail.com
Thu Feb 15 02:22:48 EST 2007 

All ACL will by default drop the fragmented packets. Yes you can enable the
feature to bypass the fragmented packets but that is firewall specific. our
IOS does not support that command.

Regards
Vikas Sharma


On 2/14/07, Kyle Evans <evans.584 at osu.edu> wrote:
>
> Does it drop all fragmented packets?  I think the ACL is supposed to
> process fragemented packets, and there is even a fragments keyword to help
> process them.  Can you post what the ACL you are using is?
>
> Here is a link to some info on cisco's site about ACLs and fragmented
> packets:
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
>
> Kyle
>
>
>
> Vikas Sharma wrote:
>
> Hi Kyle,
>
> We did implemented VACL (Vlan access control list) and we were able to
> curb spurious packets. But the problem with ACL's is it drops the fregmented
> packets. Thus we have to remove it.
>
> Regards
> Vikas Sharma
>
>
> On 2/13/07, Kyle Evans <evans.584 at osu.edu> wrote:
> >
> > I'm not sure if I'm missing something obvious here or not, but say you
> > have your 8 routers connected to G0/1 - G0/8 on the 6500.  Then couldn't you
> > do something like this:
> >
> > ip access-list 101 deny tcp any any eq 135
> > ip access-list 101 deny udp any any eq 135
> > ip access-list 101 deny tcp any any eq 136
> > ip access-list 101 deny udp any any eq 136
> > ip access-list 101 deny tcp any any eq 137
> > ip access-list 101 deny udp any any eq 137
> > ip access-list 101 deny tcp any any eq 138
> > ip access-list 101 deny udp any any eq 138
> > ip access-list 101 deny tcp any any eq 139
> > ip access-list 101 deny udp any any eq 139
> > ip access-list 101 deny tcp any any eq 445
> > ip access-list 101 deny udp any any eq 445
> > ip access-list 101 permit ip any any
> >
> > Then on interfaces G0/1 through G0/8 put the following command
> >
> > ip access-group 101 in
> >
> >
> > That should block all traffic coming into the 6500 on those ports.
> >
> >
> >
> > Kyle
> >
> >
> >
> >
> > Vikas Sharma wrote:
> >
> > Hi Kevin / Kyle,
> >
> > There is no ethernet broadcast. I am in a CDMA network where users are
> > dialing using CDMA phone as a modem. Now since most of the laptops / PS have
> > windows, they broadcast packets on some particular ports like
> > 135,136,137,137 and 445. Since OSPF is running on my edge router wher these
> > calls ar first getting connected, any broadcast message is reachable to all
> > IP pools defined over other 8 routers.
> >
> > Kyle - Port ACL might not help as all connections are going to same vlan
> > and the connected switch is also running ospf with same process id. Anyway
> > can you pls tell me weather port acl is same as private vlans or protected
> > ports?
> >
> > Regards
> > Vikas Sharma
> >
> >
> > On 2/12/07, Kevin Graham <mahargk at gmail.com> wrote:
> > >
> > > On 2/11/07, Vikas Sharma < vikassharmas at gmail.com> wrote:
> > >
> > >
> > > > In that case also since all routers and switches are in same ospf
> > > area, if a
> > > > broadcast packet come it will go to all routers. creating a seperate
> > > ptp
> > > > link might not help me..
> > >
> > > I have a feeling LSA flooding and ethernet broadcasts are being
> > > confused here...
> > >
> > > What is the condition you're trying to address?
> > >
> >
> >
>

More information about the cisco-nsp mailing list