OSPF Passive Interface on MikroTik & default advertise

In this post, I’ll discuss OSPF Passive Interface—an important feature in OSPF routing. We’ll cover its purpose, when to use it, and how to configure it on MikroTik RouterOS. A passive interface allows advertising a connected network into OSPF without sending OSPF Hello packets, preventing potential security issues while maintaining proper routing.

What Is an OSPF Passive Interface?

A passive interface in OSPF stops the router from sending Hello packets out of that interface, thus preventing the formation of OSPF neighbor relationships on that interface. However, it still advertises the network connected to that interface to other OSPF routers.

Why Use a Passive Interface?

Passive interfaces are particularly useful in scenarios where:

  • A router is connected to non-OSPF devices (e.g., switches or hosts) where Hello packets are unnecessary.
  • Security concerns exist, such as preventing rogue devices from forming OSPF neighbor relationships and injecting routes into the network.

Lab Setup Overview

Our setup consists of:

  • Router 1: Connected to Router 2 via OSPF.
  • Router 2 (focus router): Connected to Router 3 via Ethernet 2
  • Router 3: Connected to Router 2 via Ethernet and advertises several networks.

Step-by-Step Lab Walkthrough

 

Step 1: Verifying OSPF Neighborships and Routing Table

 

Before enabling the passive interface, we verify that all OSPF neighbors are properly established and that Router 1 can see the routes from Router 3 via Router 2.

Command on Router 1:

[admin@Router1] > /routing/ospf/neighbor/print
Flags: D – dynamic
Columns: INSTANCE, ROUTER-ID, STATE, ADDRESS, INTERFACE
# INSTANCE ROUTER-ID STATE ADDRESS INTERFACE
0 default 2.2.2.2 Full 192.168.12.2 ether1

Command on Router 1 to check routes:

[admin@Router1] > /ip/route/print

Flags: D – dynamic, X – disabled, I – inactive, A – active, O – ospf

Columns: DST-ADDRESS, GATEWAY, DISTANCE

# DST-ADDRESS GATEWAY DISTANCE FLAGS

0 ADO 172.16.1.0/24 192.168.12.2 110 O

1 ADO 172.16.2.0/24 192.168.12.2 110 O

2 ADO 172.16.3.0/24 192.168.12.2 110 O

3 ADO 172.16.4.0/24 192.168.12.2 110 O

Step 2: Making Ethernet 2 Passive on Router 2

 

Now, we configure Ethernet 2 on Router 2 as a passive interface. This stops Hello packets from being sent out of Ethernet 2 while keeping the connected network advertised.

Apologies, the Full Lesson Access is Only for Members....

\

Get Access to all Lessons from different Vendors

\

Affordable Price to Enhance your IT Skills!

\

Always Accessing all Lessons including the New Added Ones

100% Satisfaction Guaranteed!

You can cancel your membership at anytime.
No Questions Asked Whatsover!

0 Comments

Submit a Comment

About