Knowledgebase
Search:     Advanced search
Browse by category:
Knowledgebase / Cisco / Blocking broadcast traffic on Cisco routers

Blocking broadcast traffic on Cisco routers
Print
Views: 2532
Votes: 0
Posted: 03 Feb, 2007
by: Admin A.
Updated: 03 Feb, 2007
by: Admin A.

CISCO - Blocking broadcast traffic.

We've had some requests for examples of how to filter broadcast

traffic. As with a lot of things in the computer world, "there is more

than one way to do it."

 

If your network is composed *only* of /24 allocations (ie you're

not supernetting or subnetting anywhere on class C's, or all your class A/B

networks are subnetted as /24's), then you can do all the filtering with

one filter on your *inbound* Internet interfaces.

 

(note that you should filter both the all ones and the all zeros

addresses, as they are both recognized by some IP stacks.)

 

! filter broadcast packets from the outside world into our network

access-list 109 deny ip any 0.0.0.255 255.255.255.0

access-list 109 deny ip any 0.0.0.0 255.255.255.0

access-list 109 permit ip any any

!

in se 0

ip access-group 109 in

!

 

Another way to do it is to only filter to the broadcast addresses

*outgoing* on your directly connected interfaces. For example, if your

router has an ethernet interface with half a dozen as5200's or Max 4004's

on it, and your ethernet interface had address 192.168.3.1/24, then

you'd do this:

 

! filter broadcast packets from anywhere into my directly attached

! terminal server network

access-list 110 deny ip any host 192.168.3.255

access-list 110 deny ip any host 192.168.3.0

access-list 110 permit ip any any

!

in e 0

ip access-group 110 out

!

 

I've just been made aware of a command for ciscos,

'ip directed-broadcast'. Specifically, the 'no' form of the command

will no convert broadcast packets (all ones, I think) into broadcast

ethernet packets, on the final, directly connected interface. From

cisco's online documentation:

 

To enable the translation of directed broadcast to physical

broadcasts, use the ip directed-broadcast interface

configuration command. To disable this function, use the no

form of this command.

 

What I take this to mean is that 'no ip directed-broadcast'

will prevent the mapping of broadcast packets (I don't know

what your cisco will guess 'broadcast packets' are) to broadcast

ethernet framing. I think this will help... although I don't know all

the ramifications, because I haven't used it, and don't know anyone who

has.

 

And a final note: there are very few applications which depend

on the routing of broadcast packets. You may know of one such

application; if it's a popular one that you think lots of people are

using, speak up. So you should feel safe in blocking broadcast traffic

in your network. Popular applications which depend on *non*-routed

broadcast traffic include RIP and netbios (Microsoft's networking

protocol). Putting filter access-lists on your interfaces should

not interfere with non-routed broadcast traffic.
Others in this Category
document Some notes from the Cisco CCNA Certification Study Guide
document How do I create a VLAN?
document Cisco Router show commands
document Traffic that should be blocked by routers.
document How do I enable debugging on Cisco?
document How can I block p2p clients on Cisco routers?
document Custom queing (for QOS)


RSS
Powered by KBPublisher (Knowledge base software)