This scenario would be used when you have 3 offices connected by routers, perhaps using T1's. A T1 connects each router to every other router via serial port, and each router has 2 fast ethernet interfaces connected to different subnets in each office. When the "network" command is executed for each fast ethernet subnet, EIGRP will be enabled on those interfaces even though there is no legitimate EIGRP neighbor on those interfaces and EIGRP messages will go out those interfaces even though there is no need nor any desire for that traffic.
To limit this traffic, the preferred method is to set the fast ethernet interfaces to passive mode by executing the commands:
router eigrp 1
passive-interface fastethernet0/0
passive-interface fastethernet0/1
network
network
This will allow all WAN routers to be aware of routes to all LAN interfaces, but will not send any multicast or unicast messages out the fast ethernet interfaces. This will limit network utilization, as well as add to security by not broadcasting route information out interfaces that have no legitimate neighbors by design.
It is also possible to change the default behavior of EIGRP per ASN by using:
router eigrp 1
passive-interface default
no passive-interface serial0/0/0
no passive-interface serial0/0/1
network
This essentially changes the default so that all interfaces are configured as passive, and to allow EIGRP to broadcast out an interface, you have to disable the passivity.
To verify the configuration, we use "show ip eigrp interfaces" to see which are enabled. While this shows which interfaces EIGRP is enabled on, it does not show any passive interfaces. By using a "show ip protocols" command, we will see which networks are being routed using EIGRP as well as a specific list of passive interfaces.
Controlling route distribution using EIGRP is somewhat straight-forward in this respect. using passive-interfaces allows us to enable and restrict who sees what, allowing the fine-tuning and securing of networks.
No comments:
Post a Comment