Understanding Passive-Interface Default Command in OSPF

Sivagami Narayanan · ‎05-25-2012

Introduction

In large service provider and Enterprise networks, some distribution-layer routers often have a large number of interfaces, for example, at the WAN edge. A common practice to facilitate the configuration of a routing protocol on such routers is to enable the routing processes on a network range matching several of the interfaces. While this technique facilitates the configuration of the routing protocol, enabling routing indiscriminately on several or all interfaces may increase the chances for the insertion of unauthorized routing peers. Also, unnecessary routing protocol exchanges increase CPU overhead on the router.

To prevent these problems, one can set all interfaces as passive by default with the 'passive-interface default' command. This command changes the configuration logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with the 'no passive-interface' command. Setting an interface as passive disables the sending of routing updates on that interface, hence adjacencies will not be formed in OSPF. However, the particular subnet will continue to be advertised to other interfaces.

Configuration

In this topology, the two routers R1 and R2 are configured with OSPF. The routers R1 and R3 uses RIP to communicate with each other.

Note: See attached files for configurations of router R1, R2 and R3.

Topology Diagram

Description

In the above topology, It is recommended to configure passive-interface default under the OSPF routing process and specifically enable the interfaces where routing adjacencies are to be formed. In router R1, under the OSPF routing process, use the command no passive-interface <interface name>, i.e S1/0. This gives more control for administering OSPF. There is no need to send hellos and form adjacencies on stub networks and on other interfaces where there are no OSPF-speaking neighbors. Note that, doing so would just consume more CPU cycles and potentially allow insertion of unauthorized routing peers. It is especially important to turn off routing protocol exchanges in switched LAN environments. When there are a lot of L3 interfaces on the router and not all are participating in OSPF,configure the no passive-interface followed by the interfaces name that need to participate in OSPF and form router adjacencies. Example :no passive-interface <interface name 1> no passive-interface <interface name 2> no passive-interface <interface name 3>

In routers that have a small number of interfaces, you can choose to manually set the 'passive-interface' command on the interfaces where adjacency is not desired, instead of using the 'passive-interface default' command. Also, the rule does not apply if all L3 interfaces are designed to participate in the OSPF domain.

Verification Commands

To verify that interfaces on your network have been set to passive, use the command show ip ospf interface and look for the report indicating "No Hellos (Passive interface)". The output will be like below:

References

Default Passive Interface Feature

IP Routing OSPF Command Reference - IOS 12.4

IP Routing OSPF Configuration Guide

In large service provider and Enterprise networks, some distribution-layer routers often have a large number of interfaces, for example, at the WAN edge. A common practice to facilitate the configuration of a routing protocol on such routers is to enable the routing processes on a network range matching several of the interfaces. While this technique facilitates the configuration of the routing protocol, enabling routing indiscriminately on several or all interfaces may increase the chances for the insertion of unauthorized routing peers. Also, unnecessary routing protocol exchanges increase CPU overhead on the router. To prevent these problems, one can set all interfaces as passive by default with the 'passive-interface default' command. This command changes the configuration logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with the 'no passive-interface' command. Setting an interface as passive disables the sending of routing updates on that interface, hence adjacencies will not be formed in OSPF. However, the particular subnet will continue to be advertised to other interfaces.

techkid011 · ‎07-26-2012

Hi Siva,

Have a small question on this topic.

Diagram : P-X (1.1.1.1) ---------Ospf Link -------- P-Y (2.2.2.2)

Scenario : In a carrier class MPLS cloud,i have two Provider (P-X and P-Y)) routers running MPLS with OSPF as an IGP. Now i want to do some maintenance in one P(say P-Y) router and i would like to take if off from Network before doing it.

In this case,we can passive the ospf interface at P-Y and disable passive once maintenance on P-Y is complete.

Question : Even when i passive the ospf interface, P-Y should have P-X interface ip 1.1.1.1 in its routing table and since only ospf in passive BUT interface in still UP,can it blackhole the traffic by forwarding it to 1.1.1.1 ?

Ospf passive will just ensure that no hello's are exchanged but it will not retrieve the interface ip address from routing table.

Hope i explained the scenario and would appreciate if you respond with your feedback.

Thank You