Suppressing Route Advertisements

17 Mar

Suppressing Route Advertisements
To prevent other routers on a network from learning about routes dynamically, you can prevent routing update messages from being sent out a router interface. To accomplish this, use the passive−interface <interface> routing process configuration command. This command can be used on all IP−based routing protocols except for the Exterior Gateway Protocol (EGP) and Border Gateway Protocol (BGP). When an interface is configured to be in a passive state, the router disables the passing of routing protocol advertisements out of the interface; however, the interface still listens and accepts any route advertisement that is received into the interface. Configuring this on a router essentially makes the router a silent host over the interfaces that were specified. To configure an interface as passive, use the passive−interface <interface> command under routing protocol configuration mode; this command is all that is needed to make an interface no longer advertise networks.

Here is an example of configuring an interface as passive:

interface FastEthernet0/0
ip address 10.10.15.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
!
router eigrp 50
passive−interface FastEthernet0/0
passive−interface Serial0/0
!

Configuring HTTP Access
Cisco routers include an HTTP server, which makes configuration and administration easier, especially for someone who does not have a lot of experience with the command−line interface. The HTTP server function is disabled by default and must be manually enabled. Follow these steps to enable the HTTP server functionality (only the first step is mandatory):

1.To enable the HTTP server, use the ip http server global configuration command.

2.You can specify the authentication method the router should use to authenticate users who attempt a connection to the server with the following global configuration command:

ip http authentication {aaa|enable|local|tacacs}

3.You can control which hosts can access the HTTP server using this global configuration command:

ip http access−class {access list number|access list name}

4.By default, the HTTP server listens for connection attempts on port 80. This can be changed using the ip http port <number> global configuration command.

Figure 1.6 displays a host named Jeff at IP address 192.168.10.100 who uses his Web browser to administer the router. Jeff accesses the HTTP server on the router on port 8080 and uses the local method of authentication. The following example configuration displays the HTTP server configuration that is needed so that Jeff can access the router.

Figure 1.6: User Jeff needs HTTP access to the router.

SecureRouter#show running−config
……
username Jeff privilege 10 password 0 NewUser
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
!
ip http server ip http port 8080 ip http access−class 20 ip http authentication local
!
access−list 20 permit 192.168.10.100
!

WarningIf the HTTP server is enabled and local authentication is used, it is possible, under some circumstances, to bypass the authentication and execute any command on the device.
F o r f u r t h e r i n f o r m a t i o n , p l e a s e s e e t h e f o l l o w i n g W e b p a g e :

http://www.cisco.com/warp/public/707/IOS−httplevel−pub.html.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.