Passive interface in OSPF

Suppose there was a router.

It has two interfaces.

Serial and Fas.

We set router ospf 1 to both of them.

 

However, the Fas does not need to send OSPF Hello from its interace.

This is because there are no such OSPF nodes.

We might set passive-interface to this in order to save routers CPU.

 

Here is my question.

At this rate, Fass function is limited in receiving Hello.

This interface does not send Hello.

It means the neighbor OSPF relation would be collapsed.

OSPF would not work in here.

 

Then, what is the meaning of setting passive-interface?

We do not have to set any OSPF related command in the Fas from the scratch.

[^o)]

 

 

Comments

  • Rauta,

    I can think of a couple of reasons for passive-interface in OSPF:

    • You have several interfaces within an address space and are told to use only one network statement under the OSPF process, but not to send any OSPF traffic out interfaces not designated as OSPF
    • You are told to place interface(s) in an OSPF area, but to prevent OSPF hello or other traffic out the interface(s)
  • DarrellEscola,

     

    LTNS.

    And the quickest reply ever, thanks.

     

    No wonder.

    What I will be told is the answer.

    [:D]

     

     

  • Rauta,

    I want to add one point:
    If you don't include int F0/0 in OSPF process config, then OSPF will not advertise F0/0 in its LSA. And if F0/0 is LAN interface facing the user, you can set it as passive interface.

     

  • Alexander.Halim,

     

     

    Oh, LAN interface facing the user.

     

    I thought faces of her.

     

    http://www.youtube.com/watch?v=1llHXUfEdrI&feature=player_embedded

     

     

  • To add another idea on top of Alexander's great point.

    Another place passive interfaces may be worth considering is the external interface of your border routers could be added into your IGP if you are using IBGP internally - then you don't need to set "next-hop-self" facing the RR or IBGP peers and since you don't want (nor expect) OSPF adjacencies occuring on that external interface there, you would set that  interface to be passive.

    For the most amount of control as to what interfaces you run OSPF on you could set passive-interface default, and no passive-interface <specific interface> only those interfaces you really want OSPF to run on will attempt to establish an adjacency.

     

  • Hi Guys.

    You can use pasive-interface or just dont add the fa0/0 into OSPF via network statement (or you dont enter "ip ospf PROCESS area AREA" on the interface) and hit the "redistribute connected subnets" under the ospf process. Same effect but remember, that also non OSPF interfaces and loopbacks are advertised.

     

    Regards!

  • Hi everyone,

     

    I had a related doubt - is it ever a valid scenario to have OSPF packets being received at an interface of your router where OSPF is not enabled ? In my limited understanding till now, I think this would not be a real-world scenario (i.e. it would be a misconfiguration), since, in one Autonomous System it would normally not be a correct configuration to have OSPF enabled on one end of a link(one interface of a router) but not on the other end of the link (i.e. interface of a neighbouring router). Is that a correct understanding? I'm a beginner in OSPF and routing also, so please correct my understanding.

     

    Thanks in advance!

  • Hi

    Lets consider this

     

    R1(fa0/0)------R2(fa0/0)

     

    when OSPF protocol is configured only on R1 via "router ospf"  it joins multicast groups 224.0.0.5 and 224.0.0.6 check via

     

    R1#sh ip int f0/0 | in Multicast

      Multicast reserved groups joined: 224.0.0.5 224.0.0.6

    Now if other router R2 on this link is not running OSPF it will not join these multicast groups check on R2

    R2#sh ip int f0/0 | in Multicast

    R2#

    So when R1 sends OSPF packets to R2 at multicast destination address of 224.0.0.5 with ip protocol ip 89 check on R2 via

    R1#debug ip packets details

    *Mar  1 00:17:45.907: IP: s=10.0.0.1 (local), d=224.0.0.5 (FastEthernet0/0), len 76, sending broad/multicast, proto=89

    Since R2 does not have layer 2 multicast address corresponding to Layer 3 multicast address 224.0.0.5 because R2 has not joined this group (OSPF is not enabled ). Therefore when these packets arrived on R2's layer 2. It will discard all these packets at this layer. Hence no packets will be shown at layer 3 via

    R2#debug ip packets details

    R2#

     

     

    Conclusion: OSPF packets will not be received at R2's network layer 3 because they were already being discarded at R2's layer 2. 

     

    Regards

  • You can use pasive-interface or just dont add the fa0/0 into OSPF via network statement (or you dont enter "ip ospf PROCESS area AREA" on the interface) and hit the "redistribute connected subnets" under the ospf process. Same effect but remember, that also non OSPF interfaces and loopbacks are advertised.

    Saying that the effect is the same is not quite true as there are some subtle differences which you need to be aware of because handling options for external vs internal routes are quite different.

    1) As you indirectly indicate you may need to include a route-map with a match interface statement to select only the interface you wanted to include getting redistributed into OSPF

    2) Doing this actually impacts redistribution from other protocols - e.g. if you were redistributing RIP into OSPF, the connected interfaces running RIP normally would be added into the OSPF databased - however the redistribute connected takes precedence so if you were only adding that external interface - you would also need to include the interfaces running RIP

    3) Since the route is now an external rather than an internal route filter-lists between OSPF areas wont work here since that only works for summary routes and not externals, perhaps this is not a show stopper because there are ways around this should you need it (turn the area into NSSA and then at the ABR you can using the area range command with not-advertise)

    4) Belivability of OSPF routes are Same Area/Intra-Area/External(E1 then E2 then N1 then N2) since your router is directly connected to the interface possibly some other router that isn't redistributing this route may cause your peers to use them instead of you

    To be fair in a lot of cases where the networks are straight forward and well designed none of these things should be an issue but in non-production environments like the CCIE lab I believe understanding the implications of certain choices should help you select the right path, or at least understand why things are behaving in a particular manner.

  • 3) Since the route is now an external rather than an internal route filter-lists between OSPF areas wont work here since that only works for summary routes and not externals, perhaps this is not a show stopper because there are ways around this should you need it (turn the area into NSSA and then at the ABR you can using the area range command with not-advertise)

    Hi Adam,

    I think we can use "summary-address ... no advertise" at the ABR to filter LSA type 5.
    Check this blog by Petr Lapukhov: http://blog.ine.com/2009/08/17/ospf-route-filtering-demystified/

  • Hi "dcancerian"

     

    Thanks for the quick reply.

     

    I do understand that R2 will not end up processing the OSPF packets in this case becuase the packets wont reach Layer 3 if the Layer 2 is not listening on the OSPF multicast addresses. My doubt was if such a configuration is likely to exist in a real-world deployment. As per my understanding, in a real-world scenario, this would be considered a misconfiguration (ie. R1 having OSPF enabled on an interface which is connected to a non-OSPF interface of R2). Is this understanding correct? Kindly clarify this point, since I do not have real-world deployment experience.

     

    Thank you.

     

     

  • Hi RevK,

    If the interface is LAN interface and facing the servers/users, then I would think that we should enable OSPF on both interfaces for redundancy purpose.

    And if the interface is for transit purpose, then no point enabling OSPF on one interface but not on the other interface. 

    So, in both cases, we need to enable OSPF on both routers' interfaces.

  • Hi Alexander,

    Thanks for pointing that out, however that appears to only work with NSSA area types

    R2(config-router)#summary-address 1.1.1.1 255.255.255.255 ?
      not-advertise  Do not advertise when translating OSPF type-7 LSA
      tag            Set tag
      <cr>

    Which I believe is the same effect as

    R2(config-router)#area 1 range 1.1.1.1 255.255.255.255 not-advertise

    because area range can be applied only more than just the ASBR but can also be applied to the router originating Type5/Type7 routes - e.g. the ABR connecting to a NSSA area

     

  • Thank you, Adam. That is just the clarification I was looking for. So basically in a correct configuration, such a case would never happen.

     

    Thanks again.

     

  • Sorry, the earlier post should have referred to Alexander.Halim

    Thanks, Alexander

  • Hi RevK,

    I was responding to Alexander's reply to me about filtering - with regards to his thoughts on advertising interfaces into OSPF I am in full agreement with him.  Sorry for any confusion that I may have caused by not quoting what I was replying to

    Cheers,

    Adam

  • however that appears to only work with NSSA area types

    R2(config-router)#summary-address 1.1.1.1 255.255.255.255 ?
      not-advertise  Do not advertise when translating OSPF type-7 LSA
      tag            Set tag
      <cr>

    Which I believe is the same effect as

    R2(config-router)#area 1 range 1.1.1.1 255.255.255.255 not-advertise

    because area range can be applied only more than just the ASBR but can also be applied to the router originating Type5/Type7 routes - e.g. the ABR connecting to a NSSA area

    Hi Adam,

    Thank you for the excellent feedback. I tested it out rightaway and indeed you are correct.

Sign In or Register to comment.