네트워킹

오늘:
447
어제:
2,074
전체:
2,919,773

고객센타 : 070-7752-2000
팩스 : 070-7752-2001
휴대폰 : 010-9513-0019
email : voipkorea@yahoo.co.kr

국민은행
(주)제이에스솔루션
047101-04-155519

Flag Counter
■ 무료 : 유선 집전화 휴대폰 ( 한국 미국 중국 카나다) ↔ (국내 해외 여행자 상사 주재원 유학생) / 가입무 무제한무료■

https://learningnetwork.cisco.com/thread/11397

Question about no ip-directed broadcast

Mar 7, 2010 6:51 PM

Milan 188 posts since
Sep 3, 2008

Hi,

 

Could someone explain to me in plain english what no ip-directed broadcast is meant to do and why its beneficial to have it disabled?

 

Thanks in advance

Milan

  • JohnMoore Beginner 120 posts since
    Apr 3, 2009
    Currently Being Moderated
    1. Mar 7, 2010 6:53 PM (in response to Milan)
    Re: Question about no ip-directed broadcast

    It is to prevent someone doing a broadcast which could flood the nic/router/subnet, otherwise if enabled will allow broadcasts.

     

    J

  • Angela Expert 733 posts since
    Jan 29, 2010
    Currently Being Moderated
    2. Mar 7, 2010 8:18 PM (in response to Milan)
    Re: Question about no ip-directed broadcast

    'no ip-directed broadcast' is a command that prevent a router from broadcasting its IP address. This is a security concern.

     

      As you advance, you will know that you can send a continuous ping to a location to test for network activity. However, some malicious hacker can take advantage of this ping utility and use many computers to ping a single site. This create a lot of traffic, and so, jams up the network resources. By preventing sending out IP address in the first place greatly reduces the risk.

     

      Another, similar approach is to disable ICMP protocol, which is responsible for the functioning of 'ping' utility. When doing so, you reject any 'ping' or 'traceroute', thus effectively eliminate risk of DoS attacks.

     

      In summary, disabling ICMP is more effective than 'no ip-directed broadcast' as it actively deny access to all ICMP traffic, while 'no ip-directed broadcast' just limit the distribution of some IP address; the hacker STILL CAN obtain your address through other means. On the other hand, 'ping' and 'traceroute' are very important troubleshooting tools, so disabling them brings somewhat increase in the level of difficulty in troubleshooting.

     

    Regards,

    A

  • Matthew Bartlett Member 10 posts since
    Jan 25, 2010
    Currently Being Moderated
    4. Mar 7, 2010 8:38 PM (in response to Angela)
    Re: Question about no ip-directed broadcast

    Angela,  I don't think this is correct, as it has to do with broadcast from outside of the destination subnet (a broadcast that doesn't originate from the subnet it is intended for).  This is from the Cisco website, http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245 :

     

     

    Usage Guidelines

    An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some IP subnet, but which originates from a node that is not itself part of that destination subnet.

    A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a router that is directly connected to its destination subnet, that packet is "exploded" as a broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.

    The ip directed-broadcast interface command controls the explosion of directed broadcasts when they reach their target subnets. The command affects only the final transmission of the directed broadcast on its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts.

    If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as directed broadcasts intended for the subnet to which that interface is attached will be exploded as broadcasts on that subnet. If an access list has been configured with the ip directed-broadcast command, only directed broadcasts that are permitted by the access list in question will be forwarded; all other directed broadcasts destined for the interface subnet will be dropped.

    If the no ip directed-broadcast command has been configured for an interface, directed broadcasts destined for the subnet to which that interface is attached will be dropped, rather than being broadcast.

     

    Matthew

  • sbjones Advanced 219 posts since
    Nov 14, 2009
    Currently Being Moderated
    5. Mar 7, 2010 9:38 PM (in response to Milan)
    Re: Question about no ip-directed broadcast

    More simply put: a network a broadcast address is 255.255.255.255 and as a broadcast it is sent to all hosts -on that network (or subnet),  the network on which the packet originated. All hosts see it and act upon it or drop it depending on what is in the broadcast packet. The broadcast does not go any further than the network that originated it. The router does not route it.

     

    A directed broadcast is a packet sent from a different network (or subnet) to a legitimate broadcast address on another network. For example a device from 172.16.1.1 sends a packet (directed) to 192.168.1.255/24 (the broadcast address on network 192.168.1.0/24). The packet has a network and subnet address with the host bits all ones. This will be routed to 192.168.1.0 and sent to all hosts on 192.168.1.0.

     

    These are not desireable for the same reason as other broadcasts- lots of bandwidth consumption and hosts processing packets unnecessarily.

     

    Will not affect ping on the router interface.

  • Scott Morris - CCDE/4xCCIE/2xJNCIE Cisco Designated VIP 7,921 posts since
    Oct 7, 2008
    Currently Being Moderated
    6. Mar 8, 2010 5:03 AM (in response to Milan)
    Re: Question about no ip-directed broadcast

    While it's cool to have YOU talk to all your friends, you don't exactly want anyone and everyone to be able to reach your group of friends without prior authorization.  (Your friends may get upset with you!)

     

     

    Scott

조회 수 :
13953
등록일 :
2011.12.23
11:52:12 (*.160.42.233)
엮인글 :
http://webs.co.kr/index.php?document_srl=462&act=trackback&key=b22
게시글 주소 :
http://webs.co.kr/index.php?document_srl=462
List of Articles
번호 제목 글쓴이 날짜 조회 수
55 리눅스 linux 현재 사용중인 랜카드 트래픽 대역폭 확인 프로그램 nload admin 2017-11-04 448
54 whois site ip owner check admin 2015-08-03 2684
53 How to reduce DDOS attack admin 2015-06-24 2699
52 Collection of basic Linux Firewall iptables rules all you need admin 2015-06-16 2637
51 TCP flag(URG, ACK, PSH, RST, SYN, FIN) admin 2014-04-05 9363
50 HowTo Disable ipv6 Lenny squeeze admin 2014-02-25 7934
49 ping 핑 에 의한 패킷 전송 10 단계 그림으로 설명 file admin 2014-02-13 10231
48 whois IP Domain admin 2014-02-10 8677
47 Cisco - CCNP, CCIE - QoS. Quality Of Service admin 2013-08-29 9664
46 Easy Steps to Cisco Extended Access List file admin 2013-08-02 9855
45 Securing Networks Access List Implementation on Cisco Routers admin 2013-08-02 19594
44 Analyzing High CPU Utilization Issues on Cisco Catalyst 6500 Series admin 2013-08-01 11465
43 Basic Configuration of VLANS, Switchports and InterVLAN Routing admin 2013-08-01 9610
42 다산 스위치 Dasan L3 Switch manuall 및 명령어 v6424 V5424 등 file admin 2013-07-14 20238
41 Intel Network Adapter Drivers for Windows Server 2003*, Final Release file admin 2013-06-22 10104
40 ping 설명 ICMP Internet Control Message Protocol 설명 여러가지 admin 2013-05-09 34967
39 네트웍을 공부하려고 하는분 네이버 네트워크 전문가 따라 잡기 카페 admin 2013-04-20 15179
38 List of TCP and UDP port numbers admin 2013-04-16 31404
37 Juniper QFabric, Junosphere, Automation, and More admin 2013-03-31 11420
36 Cisco ASA Packet Captures for Fun and Profit admin 2013-03-31 10331
35 3com tftp damon program 3cdv2r10 file admin 2013-03-17 10857
34 VLAN Tagging - Understanding VLANs Ethernet Frames admin 2013-03-11 17507
33 Cisco Catalyst Fixed Configuration Layer 2 and Layer 3 Switches admin 2013-01-30 24358
32 Quality of Service Guide - QOS admin 2012-01-06 51761
31 dscp ef admin 2012-01-06 12998
30 DSCP(분화된 서비스 코드 포인트) 개요 admin 2012-01-06 14276
29 IP Precedence, TOS & DSCP admin 2012-01-06 15622
28 컴퓨터 네트워크의 기초 강의 – 네트워크 관련 윈도우 명령어 admin 2012-01-02 12913
27 국내 IPv6 자료 한국 인터넷진흥원 admin 2012-01-02 11020
26 World BGP Report admin 2011-12-28 11179
25 BGP AS4766 Korea Telecom IPv4 Route Propagation file admin 2011-12-28 12681
24 Introduction to MPLS admin 2011-12-25 11455
23 Protocol BGP Lab 1 Part 1 AS Path Local Preference Route Reflectors admin 2011-12-25 12043
22 IPSec Site to Site VPN tunnels admin 2011-12-25 11812
21 CONFIGURING STATIC ROUTING RIP IGRP OSPF ON CISCO ROUTER admin 2011-12-25 12148
20 BGP Study 유튜브 동영상 admin 2011-12-25 12055
» Question about no ip-directed broadcast admin 2011-12-23 13953
18 IPv6 환경의 보안 위협 및 공격 분석 file admin 2011-12-22 11282
17 [Cisco] NAT Config 해설 admin 2011-12-19 51175
16 자이온의 실전! QoS 강좌 1 admin 2011-12-19 15492
15 3com 스위칭허브 스위칭용량및 속도 총정리 file admin 2011-12-16 16717
14 트래픽관리를 위한 MRTG 서버구축 admin 2011-12-16 15034
13 Brocade FastIron GS Series manuall file admin 2011-12-16 17208
12 CAT.6 UTP 케이블링 작업 요령 file admin 2011-12-16 16825
11 윈도우에서 특정아이피 차단 설정 하기 admin 2011-12-16 18055
10 정의랑의 네트워크이야기 - 네트워크 전반적인 분야 고수 admin 2011-12-16 11198
9 GRE Tunnel /VPN admin 2011-12-16 11247
8 VLAN과 TRUNK admin 2011-12-16 10633
7 와룡의 네트워크 카페에서 라우팅 ,스위칭공부 admin 2011-12-16 11508
6 방화벽 자료 admin 2011-12-16 11226
5 Subnet Mask Cheat Sheet admin 2011-12-16 10840
4 서브넷마스크 와일드마스크 계산기 file admin 2011-12-16 50248
3 KT 보안관제센터 직원들이 네트워크 감시 근무자 모니터 화면 admin 2011-12-16 14001
2 Juniper Training Courses admin 2011-12-16 13208
1 기간망의 네트워크 운용실의 대형 라우터장비 예 admin 2011-12-16 10604