OSPF Passive Interface

When you use the network command in OSPF, two things will happen:

• All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
• OSPF hello packets are sent on these interfaces.

Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:

R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.

Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.

To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…

Configuration

Here’s the OSPF configuration of R1 and R2:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0

R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0

With the above configuration, R2 will learn network 192.168.10.0 /24:

R2#show ip route ospf 
O    192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0

This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:

R1#debug ip ospf hello 
OSPF hello events debugging is on

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.10.254

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1

Above you can see that hello packets are sent in both directions.

Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:

R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1

You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:

R1#show ip protocols 
Routing Protocol is "ospf 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 192.168.12.1
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    192.168.10.0 0.0.0.255 area 0
    192.168.12.0 0.0.0.255 area 0
 Reference bandwidth unit is 100 mbps
  Passive Interface(s):
    FastEthernet0/1
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 110)

Show ip protocols will tell us which interfaces are configured as passive interface(s). If you left the debug enabled you will see that the hello packets are blocked:

R1#
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1

That’s looking good, they are only sent towards R2 now.

• Configurations
• R1
• R2

Want to take a look for yourself? Here you will find the final configuration of each device.
If you have many interfaces then it might be annoying to configure each of them as a passive interface. For example let’s imagine that R1 is used as a router on a stick for VLANs that are configured on the switch. It will have many sub-interfaces, on each of those it will send OSPF hello packets:

We could use the passive-interface command for each of these sub-interfaces but there’s a better solution for this:

R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface FastEthernet 0/0

The configuration above will make all interfaces passive and you have to tell the router which interfaces should send OSPF hello packets. This is easier and it will prevent OSPF from sending hello packets when someone creates a new sub-interface and forgets to make it passive.

• Configurations
• R1
• R2

Unit 1: Introduction to OSPF

• Introduction to OSPF
• Basic OSPF Configuration
• OSPF Multi Area Configuration
• OSPF Reference Bandwidth
• OSPF Plain Text Authentication
• OSPF MD5 Authentication
• OSPF SHA-HMAC Authentication
• OSPF TTL Security Check
• OSPF Default Route

Unit 2: OSPF Neighbor Adjacency

• OSPF LSA Types
• OSPF LSAs and LSDB Flooding
• OSPF Hello and Dead Interval
• OSPF Router ID
• OSPF Packets and Neighbor Discovery
• OSPF DR/BDR Election
• OSPF Passive Interface
• Troubleshooting OSPF Neighbor Adjacency

Unit 3: OSPF Network Types

• OSPF Non-Broadcast Network Type
• OSPF Broadcast Network Type
• OSPF Point-to-Multipoint Network Type
• OSPF Point-to-Multipoint Non-Broadcast Network Type
• OSPF Point-to-Point Network Type
• OSPF Next Hop with Network Types

Unit 4: OSPF Stub Areas

• Introduction to OSPF Stub Areas
• How to configure OSPF Stub Area
• How to configure OSPF Totally Stub
• How to configure OSPF NSSA (Not So Stubby) Area
• How to configure OSPF Totally NSSA (Not So Stubby) Area
• OSPF NSSA P-bit explained

Unit 5: Advanced OSPF Topics

• OSPF Summarization
• OSPF Distribute-List Filtering
• OSPF LSA Type 3 Filtering
• OSPF LSA Type 5 Filtering
• OSPF Virtual Link
• OSPF Virtual Link Authentication
• OSPF Path Selection Explained
• How to read the OSPF Database
• OSPFv3 for IPv4
• Troubleshooting OSPF Route Advertisement
• OSPF SPF Scheduling and Throttling
• OSPF LSA Throttling
• OSPF Incremental SPF
• OSPF Prefix Suppression
• OSPF Stub Router
• OSPF Graceful Shutdown
• OSPF Graceful Restart
• OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR)
• OSPF Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)