PASSIVE INTERFACES
If we look at R2, this router has an interface in 10.1.25.0/24, there is no other router on this segment yet R2 is sending hello's out this interface trying to actively form a relationship with an EIGRP neighbour. This is a HUGE security hole as someone could plug in there own router and get EIGRP up and running and start injecting routes into the network, or better yet he could pull off a man in the middle attack and be packet sniffing all the traffic and forwarding it on.
One approach would be to remove the network from EIGRP, BUT this now means you are not advertising this network.....
This is where passive interfaces come in, as they disable the hello messages on that interface meaning no neighbour can form BUT it will still advertise the network to the rest of your EIGRP topology :0)
R2(config)#router eigrp 90
R2(config-router)#passive-interface loopback 2
(Im doing loopback2 as i didnt have another fastethernet port like on the CBT/network diagram)
So now, no hello messages will be sent out to 10.1.25.0/24 and no neighbourships will form and no routes learnt *dusts hands*
This is very different to what RIP's passive interface does;
It wont send updates out the interface (RIP doesn't form neighbours like EIGRP,just sends updates via broadcast or multicast depending on version) BUT it will still accept updates from other RIP routers and add them updates to the routing table.
----------------------------------------------------------------------------------
RIP's passive interface NOT as secure as EIGRP's passive interface
--------------------------------------------------------------------------------
RIP's passive interface NOT as secure as EIGRP's passive interface
--------------------------------------------------------------------------------
Now lets secure the BackBone router, we have aload of interfaces (loopbacks in this example, but hey!) It would be alot more secure and easier for us to set all interfaces by default as passive
BB-Router(config)#router eigrp 90
BB-Router(config-router)#passive-interface default
BB-Router(config-router)#
00:36:33: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.24.2 (Serial0/0) is down: interface passive
00:36:33: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.34.2 (Serial0/1) is down: interface passive
Obviously this downs the neighbours straightaway as we have disabled the hello messages from talking to the neighbour, to get it up and running again we use the no command;
BB-Router(config-router)#no passive-interface serial0/0
BB-Router(config-router)#no passive-interface serial0/1
00:37:31: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.24.2 (Serial0/0) is up: new adjacency
00:37:31: %SYS-5-CONFIG_I: Configured from console by vty1 (10.1.34.2)
00:37:34: %DUAL-5-NBRCHANGE: IP-EIGRP 90: Neighbor 10.1.34.2 (Serial0/1) is up: new adjacency
heres it all together in the running config;
BB-Router#show run | s eigrp
router eigrp 90
passive-interface default
no passive-interface Serial0/0
no passive-interface Serial0/1
network 10.1.0.0 0.0.255.255
network 172.30.0.0
network 192.168.1.0
no auto-summary
No comments:
Post a Comment