When you use the network command in OSPF, two things will happen:
- All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
- OSPF hello packets are sent on these interfaces.
Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:
R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.
Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.
To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…
Here’s the OSPF configuration of R1 and R2:
R1(config)#router ospf 1 R1(config-router)#network 192.168.12.0 0.0.0.255 area 0 R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config)#router ospf 1 R2(config-router)#network 192.168.12.0 0.0.0.255 area 0
With the above configuration, R2 will learn network 192.168.10.0 /24:
R2#show ip route ospf O 192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0
This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:
R1#debug ip ospf hello OSPF hello events debugging is on OSPF: Send hello to 22.214.171.124 area 0 on FastEthernet0/1 from 192.168.10.254 OSPF: Send hello to 126.96.36.199 area 0 on FastEthernet0/0 from 192.168.12.1
Above you can see that hello packets are sent in both directions.
Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:
R1(config)#router ospf 1 R1(config-router)#passive-interface FastEthernet 0/1
You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:
hay rene, is there any way to make the default as passive and yet keep the interface that already has a neighbour as non passive? in other words is there a way to change the default on the router to passive on all interfaces except the onces that already have neighbours, without dropping the adj.
I’m afraid not, if you use the global passive command then it will kill any OSPF neighbor adjacencies that you have…unless you do “no passive interface” for these interfaces.
If we type passive-interface default then it should block OSPF packets for both interfaces? and we only want it for fa0/1, not for fa0/0. In other words how the router would know which interface should stop OSPF packets?
If you use passive-interface default then all interfaces will be passive. If you want to disable it for fa0/0 then you can use the no passive-interface fa0/0 command under the OSPF process.
You mention that passive-interface command is preventing an interface from sending hello packets.
I’d like to know technically does it prevent interface from RECEIVING hello packets as well?
Also, I read in an official Cisco literature that it is recommended ISP facing interfaces to be passive for security.
However I don’t understand, if this is the case how is my router going to receive routing to external destinations using OSPF if it doesn’t become neighbor
with the next hop.
Thank you in advance!