Thursday, October 2, 2008

EIGRP part 1 - security


If there is a shared LAN segment and there is a requirement to establish EIGRP adjencies over this but ONLY to specified neighbors, this initially represents a small problem. Of course EIGRP adjacencies are normally established via EIGRP multicast hellos to 224.0.0.10. This is effect allows any router on the LAN segment to join and become an EIGRP neighbor.

By making using of the EIGRP neighbor statement this behaviour can be eliminated. By applying a neighbor statement within EIGRP this stops the multicast hellos from exiting the associated interface. In this way any other hosts on the shared LAN segment are prevented from forming a neighbor adjacency adding a layer of security.

N.B. It is not necessary to apply the passive-interface command to the interface and in fact this will prevent all neighbor relationships forming out of the specified interface.

No comments: