The Passive Interface feature in OSPF allows you to advertise networks without sending hello packets. This is especially useful for interfaces connected to LANs or devices that should not form OSPF neighborships but whose networks still need to be advertised. Think of an OSPF router connected to a switch LAN – do we really need to send OSPF hello packets out of the LAN interface on the router to the switch? Of course not. If we do, this will leave a security whole as someone could emulate OSPF on his PC, form neighborship to our Juniper router, and see all OSPF information. To make it even worst, he can inject a default route so all the traffic of the network to the internet pass via his PC, and he can open a capturing software to capture all traffic passed. For this, we need to use passive interface to stop hello packets on an interface, however, we can still advertise that connected network to the OSPF.
Let me show you in a LAB how this can be done.
In this lab, I will demonstrate the passive interface configuration using the following scenario:
- R1: Router in Area 0.
- R2: ABR between Area 0 and Area 1.
- R3: Router in Area 1
Objective
- Configure FastEthernet0/0/2 on R2 as a passive interface.
- Verify that the network attached to this interface is still advertised to other OSPF routers.
- Observe the effect of passive interface on OSPF neighborship.
Lab Steps for Passive Interface
Step 1: Verify Existing Neighborships
Check the OSPF neighborships and routing table on R1 before enabling the passive interface.
R1# show ospf neighbor
Neighbor ID: 192.168.23.2
State: Full
R1# show route
192.168.23.0/24 [OSPF] via 192.168.23.2
3.3.3.0/24 [OSPF] via 192.168.23.2
Step 2: Configure Passive Interface on R2
Make FastEthernet0/0/2 a passive interface on R2.
R2# edit protocols ospf area 1
R2# set interface fastethernet0/0/2 passive
R2# commit
Step 3: Verify OSPF Neighborship on R2
Check OSPF neighborship on R2 to confirm that the passive interface configuration stops hello packet exchange.
R2# show ospf neighbor
Neighbor ID: 192.168.23.1
State: Full
We can see that R2 does not form an OSPF neighborship with R3 anymore.
Step 4: Verify Routing Table on R1
Check the routing table on R1 to ensure that the network connected to the passive interface is still advertised.
R1# show route
192.168.23.0/24 [OSPF] via 192.168.23.2
3.3.3.0/24 [OSPF] via 192.168.23.2
Step 5: Remove Passive Interface Configuration
Re-enable hello packet exchange on FastEthernet0/0/2 by removing the passive configuration.
R2# edit protocols ospf area 1
R2# delete interface fastethernet0/0/2 passive
R2# commit
Step 6: Verify Neighborship and Routing Table
Re-check neighborship on R2 and the routing table on R1 after restoring the default configuration.
R2# show ospf neighbor
Neighbor ID: 192.168.23.1
State: Full
Neighbor ID: 192.168.23.3
State: Full
R1# show route
192.168.23.0/24 [OSPF] via 192.168.23.2
3.3.3.0/24[OSPF] via 192.168.23.2
Part 2: Default Route Advertisement
The default originate feature in OSPF allows routers to advertise a default route to all OSPF routers in the network. This is particularly useful when one router connects to the internet, and other routers rely on it for external connectivity. This way, you can advertise the defaut route to all OSPF routers, so they have it in their routing table. Let’s apply a LAB to show you how this can be done.
Objective
- Create a static default route on R1.
- Advertise this default route in OSPF using policy options.
- Verify that all routers receive the default route via OSPF.
Lab Steps for Default Route Advertisement
Step 1: Create a Static Default Route on R1
Create a static default route on R1.
R1# edit routing-options
R1# set static route 0.0.0.0/0 next-hop discard
R1# commit
I have used “next-hop discard” just to make a default route taking us to nowhere. This is also called a blackhole route. Of course in real production network, the default route is most of the time the route taking you to the internet. In my Lab, I will use a blackhole route taking me to nowhere.
Step 2: Configure a Policy Statement
Create a policy statement to match and accept the static default route.
R1# edit policy-options
R1# set policy-statement default-originate term 1 from route-filter 0.0.0.0/0 exact
R1# set policy-statement default-originate term 1 then accept
R1# commit
I have just created a policy statement called “default-originate” saying if you find a default route than accept it.
Step 3: Export the Policy Statement into OSPF
Export the policy statement into OSPF.
R1# edit protocols ospf
R1# set export default-originate
R1# commit
Here I have exported the policy statement named “default-originate” into OSPF so all OSPF routers will know about this default route.
Step 4: Verify Default Route on Other Routers
Check the routing tables on downstream routers to confirm they received the default route.
R4# show route
0.0.0.0/0 [OSPF] via 192.168.34.3
R3# show route
0.0.0.0/0 [OSPF] via 192.168.23.2
R2# show route
0.0.0.0/0 [OSPF] via 192.168.12.1
As you can see, all OSPF routers have received the default route via OSPF into their routing table, which is perfect.
Conclusion
This lab demonstrated:
- The use of the passive interface in OSPF to secure networks by suppressing hello packets while still advertising the network.
- The process of advertising a static default route in OSPF using policy options to enable all routers in the network to route traffic to external networks.
These configurations enhance OSPF functionality and network security. I hope this lecture was informative, and I’ll see you in the next session!
0 Comments