Once you use the network command on OSPF advertising a network, then hello packets are sent out of the interface where this network belongs to in order to try forming neighborship with a peer router.
But what if we have the following scenario?
In this scenario, you need to advertise the connected networks on R1 into OSPF so R2 can know about R1 networks, that means the following 2 networks will be advertised on OSPF on R1:
- 192.168.12.0/24
- 17216.0.0/24
Once you advertise those 2 networks, hello packets will be sent out of the 2 interfaces as the following:
Of course, we need the hello packets to go via the interface G0/0/0 so R1 can form OSPF peer neighborship with R2, but do we really need that the hello packets go out via G0/0/1 which is connected to a LAN switch? Of course not, and this is actually a security hole because someone can emulate OSPF on his PC then he can form neighborship with R1 and he can run attacks to our network. But at the same time, R1 should advertise the network 172.16.0.0/24 which is connected to the interface G0/0/1 to allow R2 to know about it. So, what is the solution here.
[mepr-show rules=”319″ unauth=”message”]
The solution is to make the interface G0/0/1 a passive-interface (known as silent-interface in Huawei). By doing that, hello packets will not be sent anymore out of G0/0/1 but at the same time the network 172.16.0.0/24 is still advertised in OSPF and R2 will know about it. I hope the idea is clear for you now. If not, let’s run a LAB to show you what happens when I make an interface as a passive interface in OSPF.
LAB: OSPF Passive Interface
I am still on the same LAB scenario as per last chapter. Everything is still running.
If we look to area 1, we already have peer neighborship on OSPF between R2 and R4. Let’s verify that from R4.
I see that R4 have neighborship with R2.
Let’s capture the traffic on Wireshark on the interface G0/0/1 of R2 now and see if hello packets are being sent out of this interface.
As you see, the hello packets are still being sent out of interface G0/0/1 of R2.
I will go to R2 and will make the interface connected to R4 (G0/0/1) as a passive-interface, then I will check again whether R4 has still peer neighborship with R2 and whether the advertised network 192.168.24.0/24 (which is on the interface G0/0/1) is still seen on other routers.
Let’s make now G0/0/1 as a passive-interface (silent-interface)
Once I have issued this command, I see that the neighborship with R4 on OSPF has been dropped as the following:
Let’s check again whether R4 has still neighborship with R2.
Unfortunately, not!!!!!
Let’s check on Wireshark again whether R2 is still sending OSPF hello packet to R4.
I only see hello packets coming from R4 to R2, but there are not any hello packet going from R2 to R4 and that’s why the neighborship went down.
Now we made the interface G0/0/1 of R2 as a silent-interface, but what about the network that is on that interface which is 192.168.24.0/24, will it be still advertised on OSPF so other OSPF routers can know about it?
Let’s check that on R1 and on R5.
On R1, he still has the entry of 192.168.24.0/24 in his routing table. Let’s ping it from R1.
Excellent!!!! R1 is still able to reach this network.
Let’s check now R5 which is in a RIP network.
R5 also still see the entry of this network in his routing table. Let me ping to 192.168.24.2 which is the IP address of interface G0/0/1 of R2.
Also R5 is able to reach ????
In a conclusion, when making an interface as a passive interface, then it will not send hello packets anymore out of that interface but the network of that interface which is advertised in OSPF will remain advertised.
This is all what I wanted to show you in this chapter, I hope you enjoyed it and see you in the upcoming one.
[/mepr-show]
0 Comments