Search This Blog

OSPF Using Passive interface

  OSPF  Passive Interface 
When we use the network command in OSPF, Two Things will happen

  • All interface that has a network that falls within the range of the network command will be advertised in OSPF
  • OSPF hello packets are sent on this interface

Take a look at the image up there:

R1 and R2 configure OSPF using Area 0. R1 has connected to network 192.168.10.0/24 wich has some computers connected to a Switch. R1 wants to advertise this network to R2.

When we use the command to advertise the network 192.168.10.0/24 in OSPF, R1 will also send OSPF hello Packets to the Switch. This is not a good idea because there no router no this network
and it's also a security risk. If someone on the computer starts an application that replies with OPSF hello packets then R1 will try to become neighbors. An attack could advertise fake routes using this technique.

To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interface 

We will configure OSPF to stop the hello Packet towards the Switch:
there is 2 way to do that.


R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1


IF you have many interfaces it might be annoying to configure each of them as a passive interface. For example, If That R1 used subinterface for VLAN.


R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface FastEthernet 0/0


The configuration above will make all interface passive and we have to tell the router wich interface should send OSFP hello Packets. This is easier and it will prevent OSPF From Sending Hello packets when someone creates a new sub-interface and forgets to make it passive. 


 hostname R1
interface FastEthernet 0/1
 ip address 192.168.10.254 255.255.255.0
!
interface FastEthernet 0/0
 ip address 192.168.20.1 255.255.255.0
!
router ospf 1
 network 192.168.20.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0
 passive-interface default
 no passive-interface FastEthernet 0/0
!
end
hostname R2
!
interface FastEthernet 0/0
 ip address 192.168.20.2 255.255.255.0
!
router ospf 1
 network 192.168.20.0 0.0.0.255
!
end..











No comments:

Post a Comment

Subscribe to: Posts (Atom)