OSPF Passive Interface and Default Route Advertisement on Juniper

The Passive Interface feature in OSPF allows you to advertise networks without sending hello packets. This is especially useful for interfaces connected to LANs or devices that should not form OSPF neighborships but whose networks still need to be advertised. Think of an OSPF router connected to a switch LAN – do we really need to send OSPF hello packets out of the LAN interface on the router to the switch? Of course not.  If we do, this will leave a security whole as someone could emulate OSPF on his PC, form neighborship to our Juniper router, and see all OSPF information. To make it even worst, he can inject a default route so all the traffic of the network to the internet pass via his PC, and he can open a capturing software to capture all traffic passed. For this, we need to use passive interface to stop hello packets on an interface, however, we can still advertise that connected network to the OSPF.

Let me show you in a LAB how this can be done.

In this lab, I will demonstrate the passive interface configuration using the following scenario:

  • R1: Router in Area 0.
  • R2: ABR between Area 0 and Area 1.
  • R3: Router in Area 1

 

Objective

  1. Configure FastEthernet0/0/2 on R2 as a passive interface.
  2. Verify that the network attached to this interface is still advertised to other OSPF routers.
  3. Observe the effect of passive interface on OSPF neighborship.

Lab Steps for Passive Interface

 

Step 1: Verify Existing Neighborships

Check the OSPF neighborships and routing table on R1 before enabling the passive interface.

R1# show ospf neighbor

Neighbor ID: 192.168.23.2

State: Full

 

R1# show route

192.168.23.0/24 [OSPF] via 192.168.23.2

3.3.3.0/24 [OSPF] via 192.168.23.2

 

Step 2: Configure Passive Interface on R2

Make FastEthernet0/0/2 a passive interface on R2.

R2# edit protocols ospf area 1

R2# set interface fastethernet0/0/2 passive

R2# commit

 

Step 3: Verify OSPF Neighborship on R2

Check OSPF neighborship on R2 to confirm that the passive interface configuration stops hello packet exchange.

R2# show ospf neighbor

Neighbor ID: 192.168.23.1

State: Full

We can see that R2 does not form an OSPF neighborship with R3 anymore.

Step 4: Verify Routing Table on R1

Check the routing table on R1 to ensure that the network connected to the passive interface is still advertised.

R1# show route

192.168.23.0/24 [OSPF] via 192.168.23.2

3.3.3.0/24 [OSPF] via 192.168.23.2

 

Step 5: Remove Passive Interface Configuration

Re-enable hello packet exchange on FastEthernet0/0/2 by removing the passive configuration.

R2# edit protocols ospf area 1

R2# delete interface fastethernet0/0/2 passive

R2# commit

 

Step 6: Verify Neighborship and Routing Table

Re-check neighborship on R2 and the routing table on R1 after restoring the default configuration.

R2# show ospf neighbor

Neighbor ID: 192.168.23.1

State: Full

Neighbor ID: 192.168.23.3

State: Full

R1# show route

192.168.23.0/24 [OSPF] via 192.168.23.2

3.3.3.0/24[OSPF] via 192.168.23.2

 

Part 2: Default Route Advertisement

The default originate feature in OSPF allows routers to advertise a default route to all OSPF routers in the network. This is particularly useful when one router connects to the internet, and other routers rely on it for external connectivity. This way, you can advertise the defaut route to all OSPF routers, so they have it in their routing table. Let’s apply a LAB to show you how this can be done.

Objective

  1. Create a static default route on R1.
  2. Advertise this default route in OSPF using policy options.
  3. Verify that all routers receive the default route via OSPF.

Lab Steps for Default Route Advertisement

 

Step 1: Create a Static Default Route on R1

Create a static default route on R1.

R1# edit routing-options

R1# set static route 0.0.0.0/0 next-hop discard

R1# commit

I have used “next-hop discard” just to make a default route taking us to nowhere. This is also called a blackhole route. Of course in real production network, the default route is most of the time the route taking you to the internet. In my Lab, I will use a blackhole route taking me to nowhere.

Step 2: Configure a Policy Statement

Create a policy statement to match and accept the static default route.

R1# edit policy-options

R1# set policy-statement default-originate term 1 from route-filter 0.0.0.0/0 exact

R1# set policy-statement default-originate term 1 then accept

R1# commit

I have just created a policy statement called “default-originate” saying if you find a default route than accept it.

Step 3: Export the Policy Statement into OSPF

Export the policy statement into OSPF.

R1# edit protocols ospf

R1# set export default-originate

R1# commit

Here I have exported the policy statement named “default-originate” into OSPF so all OSPF routers will know about this default route.

 

Step 4: Verify Default Route on Other Routers

Check the routing tables on downstream routers to confirm they received the default route.

R4# show route

0.0.0.0/0 [OSPF] via 192.168.34.3

R3# show route

0.0.0.0/0 [OSPF] via 192.168.23.2

R2# show route

0.0.0.0/0 [OSPF] via 192.168.12.1

As you can see, all OSPF routers have received the default route via OSPF into their routing table, which is perfect.

Conclusion

This lab demonstrated:

  1. The use of the passive interface in OSPF to secure networks by suppressing hello packets while still advertising the network.
  2. The process of advertising a static default route in OSPF using policy options to enable all routers in the network to route traffic to external networks.

These configurations enhance OSPF functionality and network security. I hope this lecture was informative, and I’ll see you in the next session!

0 Comments

Submit a Comment

About