When you use the network command in OSPF, two things will happen:
- All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
- OSPF hello packets are sent on these interfaces.
Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:
R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.
Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.
To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…
Configuration
Here’s the OSPF configuration of R1 and R2:
R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0With the above configuration, R2 will learn network 192.168.10.0 /24:
R2#show ip route ospf
O 192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:
R1#debug ip ospf hello
OSPF hello events debugging is on
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.10.254
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1Above you can see that hello packets are sent in both directions.
Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:
R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:
Hi Rene!
You mention that passive-interface command is preventing an interface from sending hello packets.
I’d like to know technically does it prevent interface from RECEIVING hello packets as well?
Also, I read in an official Cisco literature that it is recommended ISP facing interfaces to be passive for security.
However I don’t understand, if this is the case how is my router going to receive routing to external destinations using OSPF if it doesn’t become neighbor
with the next hop.
Thank you in advance!
Hi Ivaylo,
It won’t prevent us from receiving the hello packets but I believe it does stop processing them. Here’s a little experiment I did with two routers, directly connected to each other:
Now we can see we are sending and receiving hello packets:
Let’s make the interface passive:
At this mo
... Continue reading in our forumHi Ahmad,
OSPF and EIGRP have one thing in common, they both establish a neighbor adjacency before they advertise any routing information. RIP doesn’t establish a neighbor adjacency, it just advertises routing updates.
When you use the passive interface command for RIP then it stops advertising RIP routing updates on that interface. When you use it for OSPF or EIGRP, they won’t send any hello packets anymore so that it becomes impossible to establish a neighbor adjacency on the passive interface.
Rene
Hello Monir
When you indicate that an interface is passive, it means that any and all OSPF related messages are never sent out that interface. The connected network does participate in the OSPF process, that is, the connected subnet is advertised to other OSPF routers, but no hellos, LSAs or any other OSPF related packets are sent out that interface.
The passive interface is configured on interfaces where you KNOW there is no OSPF router connected to it to receive any kind of OSPF information.
I hope this has been helpful!
Laz
Hello Sumu
When a router is enabled with OSPF, it sends hello packets outside ALL of its network interfaces by default regardless of which subnets are participating in OSPF, regardless of which subnets are included in the network command.
The statement
means that the advertisements that are sent will include information about these networks. This means that by default, hello packets will be sent on all interfaces including Fa0/0 and Fa0/1 and wi
... Continue reading in our forum