Scribd
Upload
21 views13 pages

Understanding OSPF Passive Interface

The document discusses the OSPF passive interface command, which prevents OSPF hello packets from being sent on certain interfaces to enhance security and avoid unnecessary neighbor adjacencies. It provides configuration examples for routers R1 and R2, illustrating how to implement the passive-interface command effectively. Additionally, it highlights the option to set all interfaces as passive by default and selectively enable OSPF on specific interfaces.

Uploaded by

Vineet
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views13 pages

Understanding OSPF Passive Interface

The document discusses the OSPF passive interface command, which prevents OSPF hello packets from being sent on certain interfaces to enhance security and avoid unnecessary neighbor adjacencies. It provides configuration examples for routers R1 and R2, illustrating how to implement the passive-interface command effectively. Additionally, it highlights the option to set all interfaces as passive by default and selectively enable OSPF on specific interfaces.

Uploaded by

Vineet
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

OSPF LSAs and LSDB Flooding

OSPF Hello and Dead Interval

OSPF Router ID

OSPF Packets and Neighbor Discovery

OSPF DR/BDR Election

OSPF Passive Interface

Troubleshooting OSPF Neighbor Adjacency

 Unit 3: OSPF Network Types

 Unit 4: OSPF Stub Areas

 Unit 5: Advanced OSPF Topics

You are here: Home » OSPF

OSPF Passive Interface


When you use the network command in OSPF, two things will happen:
All interfaces that have a network that falls within the range of the network command
will be advertised in OSPF.
OSPF hello packets are sent on these interfaces.

Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look
at the image below:
R1 and R2 are con gured for OSPF. R1 is connected to network 192.168.10 /24 which has
some computers connected to a switch. R1 wants to advertise this network to R2.

Once we use the network command to advertise [Link] /24 in OSPF, R1 will also
send OSPF hello packets towards the switch. This is a bad idea, rst of all because there
are no routers on this network but it’s also a security risk. If someone on the computer
starts an application that replies with OSPF hello packets then R1 will try to become
neighbors. An attacker could advertise fake routes using this technique.

To prevent this from happening, we can use the passive-interface command. This
command tells OSPF not to send hello packets on certain interfaces. Let’s see how it
works…

Configuration
Here’s the OSPF con guration of R1 and R2:

R1(config)#router ospf 1
R1(config-router)#network [Link] [Link] area 0
R1(config-router)#network [Link] [Link] area 0

R2(config)#router ospf 1
R2(config-router)#network [Link] [Link] area 0

With the above con guration, R2 will learn network [Link] /24:

R2#show ip route ospf


O [Link]/24 [110/20] via [Link], 00:03:21, FastEthernet0/0

This is great but a side-e ect of this con guration is that R1 will send hello packets on its
FastEthernet 0/1 interface. We can see this with a debug:

R1#debug ip ospf hello


OSPF hello events debugging is on

OSPF: Send hello to [Link] area 0 on FastEthernet0/1 from


[Link]

OSPF: Send hello to [Link] area 0 on FastEthernet0/0 from [Link]

Above you can see that hello packets are sent in both directions.

Let’s x this. We will con gure OSPF to stop the hello packets towards the switch:

R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1
You only have to use the passive-interface command under the OSPF process. You can
verify our work with the following command:[teaser]

R1#show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID [Link]
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
[Link] [Link] area 0
[Link] [Link] area 0
Reference bandwidth unit is 100 mbps
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
Show ip protocols will tell us which interfaces are con gured as passive interface(s). If you
left the debug enabled you will see that the hello packets are blocked:

R1#
OSPF: Send hello to [Link] area 0 on FastEthernet0/0 from [Link]

That’s looking good, they are only sent towards R2 now.

Configurations
Want to take a look for yourself? Here you will nd the con guration of each device.
R1
hostname R1
!
interface FastEthernet 0/1
ip address [Link] [Link]
!
interface FastEthernet 0/0
ip address [Link] [Link]
!
router ospf 1
network [Link] [Link] area 0
network [Link] [Link] area 0
passive-interface FastEthernet 0/1
!
end

R2
hostname R2
!
interface FastEthernet 0/0
ip address [Link] [Link]
!
router ospf 1
network [Link] [Link]
!
end

If you have many interfaces then it might be annoying to con gure each of them as a
passive interface. For example let’s imagine that R1 is used as a router on a stick for
VLANs that are con gured on the switch. It will have many sub-interfaces, on each of
those it will send OSPF hello packets:
We could use the passive-interface command for each of these sub-interfaces but there’s
a better solution for this:

R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface FastEthernet 0/0

The con guration above will make all interfaces passive and you have to tell the router
which interfaces should send OSPF hello packets. This is easier and it will prevent OSPF
from sending hello packets when someone creates a new sub-interface and forgets to
make it passive.
Configurations
Want to take a look for yourself? Here you will nd the con guration of each device.

R1
hostname R1
!
interface FastEthernet 0/1
ip address [Link] [Link]
!
interface FastEthernet 0/0
ip address [Link] [Link]
!
router ospf 1
network [Link] [Link] area 0
network [Link] [Link] area 0
passive-interface default
no passive-interface FastEthernet 0/0
!
end

R2
hostname R2
!
interface FastEthernet 0/0
ip address [Link] [Link]
!
router ospf 1
network [Link] [Link]
!
end

RIP and EIGRP also support the passive-interface command. It works similar for
EIGRP but RIP works a bit di erent. It doesn’t create neighbor adjacencies so it
just suppresses route advertisements on the passive interface.

Hopefully these examples have been useful, if you have any questions feel free to leave a
comment!

« Previous Lesson
OSPF DR/BDR Election
Next Lesson
Troubleshooting OSPF Neighbor
Adjacency
»

Forum Replies

ivoaleksiev

You might also like