[c-nsp] Blocking IS-IS traffic
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Jan 18 09:49:53 EST 2008
Agree with Rubens. If you absolutely need to run IS-IS on a Vlan where
you also have hosts which you don't have control over (which is a very
bad idea), enable IS-IS authentication..
oli
Rubens Kuhl Jr. <> wrote on Friday, January 18, 2008 3:29 PM:
> IS-IS is carried by OSI, not IP; you should try finding the ethertype
> it's using (maybe 00FE or FEFE) and use a MAC ACL to filter the OSI
> traffic.
>
> Converting to an IP routerport without IS-IS attached would achieve
> better isolation, is it possible on this scenario ? We strongly prefer
> to use routerports on connections to customers/peers/upstreams, and
> even there we filter IP multicast traffic.
>
>
> Rubens
>
>
>
> On Jan 18, 2008 9:39 AM, Ulysses Maciel da Costa
> <ulysses.costa at egs.com.br> wrote:
>> Hi,
>>
>>
>> I have a vlan in my router's switchport, and I receive a link from
>> other company. Last week my network goes down. I analyze my network
>> and saw a lot of IS-IS packets. By the way, my routes inside this
>> vlan are static. I've tried to create an ACL inside my vlan to block
>> these IS-IS packets attached with his ports(2042,2043), without
>> success.
>>
>>
>>
>> Someone could help me to do an efficient ACL to block this traffic?
>>
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list