disabling ospf update

>thnx . . .

>the result goes like this:

>Router(config)# access-list 101 deny ospf any any

>Router(config)# access-list 101 permit ip any any

>Router(config)#int f0/0

>Router(config-if)#ip access-group
% Incomplete command.

>is there anything i forgot to include?

For the ip access-group command you need to specify the ACL number and the direction of checking: IN or OUT. Like this:

[code:1]Router(config-if)#ip access-group 101 out[/code:1]

or

[code:1]Router(config-if)#ip access-group 101 in[/code:1]

The first one will prevent ospf packets from getting OUT of the interface. The second one will prevent ospf packet from getting IN to the interface. Which one you use is dependent on your network topology. I recommend the first one used on each interface that you want to prevent originating ospf packets.

I still don't get it. Why do you want to disable OSPF updates? For OSPF to work you need to have a full copy of the link-state database for your area. Which is why 'passive' OSPF will tear down your adjacency.

Also, use dynamips.

The answer to your question is actually quite simple, i dont know why you guys are trying to make it so hard. (Thats what she said).

Ok so here it is:


BRANCH#config t
BRANCH(config)#router ospf 1
passive-interface eth0/0


CENTRAL#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
CENTRAL(config)#router ospf 1
CENTRAL(config-router)#passive-interface s0/0/1


now those interfaces wont send ospf updates :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted: :twisted:

One thing you should know is that OSPF is a very tasking process to implement on a router. it uses up quite a large portion of the routers' memory because it has a Link State Database that stores information on how to reach ALL the routers within the same area it's in.

Therefore implementing access-lists will only cause the router to overwork for something that is such a small deal, because when routing it will check through for any acls configured.

Its better to restrict the OSPF advertisements in the OSPF process itself by making the interface passive. this will make the router run ospf smoothly but when its flooding the Link-state-advertisements, it will not flood them out the interface you specified for it to restrict thus saving your bandwidth.

Router(config)#router ospf 1
Router(cofig-router)#passive-interface fa0/1

I still don't get it. Why do you want to disable OSPF updates? For OSPF to work you need to have a full copy of the link-state database for your area. Which is why 'passive' OSPF will tear down your adjacency.

Also, use dynamips.

You want to disable the updates out the Ethernet interfaces because you know there is no router at the other end that needs to get the updates. However there could be a evil black hat hacker on the other end of that Ethernet cable who is sniffing you traffic and seeing all the routing up date information which he uses to attack your network.

So you disable the updates on the Ethernet interfaces so that no unauthorized person can see the routing updates.