nerdexam
Cisco

352-001 · Question #221

Why should IGP advertisements be disabled on an access link where a host is attached?

The correct answer is B. to prevent the injection of bad routes. Disabling IGP advertisements on host-facing access links prevents unauthorized or malicious devices from injecting false routing information into the network.

Designing Security

Question

Why should IGP advertisements be disabled on an access link where a host is attached?

Options

  • Abecause hosts do not run routing protocols
  • Bto prevent the injection of bad routes
  • Cto reduce router overhead
  • Dbecause edge hosts are statically routed

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    94% (30)
  • D
    3% (1)

Why each option

Disabling IGP advertisements on host-facing access links prevents unauthorized or malicious devices from injecting false routing information into the network.

Abecause hosts do not run routing protocols

While hosts typically do not run routing protocols, the concern is not the host's capability - it is the risk that any device on that link, including a rogue one, could inject bad routes into the router.

Bto prevent the injection of bad routesCorrect

A host or rogue device connected to an access link could send crafted routing protocol packets (OSPF Hellos, RIP updates, EIGRP packets) that introduce false routes into the IGP topology. Using a passive interface or similar mechanism suppresses IGP sending and receiving on that link, blocking route injection and protecting routing table integrity.

Cto reduce router overhead

Reducing router overhead is a minor side effect of disabling IGP on access links, not the primary security motivation for the practice.

Dbecause edge hosts are statically routed

Whether edge hosts are statically routed is a host configuration detail that is irrelevant to why the router should not advertise or accept IGP messages on the access link.

Concept tested: Passive interface preventing IGP route injection on access links

Source: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13711-40.html

Topics

#passive interface#route injection#IGP security#access link

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice