05-27-2009 10:44 AM - edited 03-04-2019 04:54 AM
What options are there to limit which routers OSPF neighbors form with? I am aware of limiting interfaces (via "Passive-Interface") that participate in OSPF advertisements, but I was wondering if there were other / more efficient options ---> especially in a router with many interfaces.
Any suggestions?
Solved! Go to Solution.
05-28-2009 02:46 AM
"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "
Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.
"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.
05-27-2009 11:12 AM
Keith
Perhaps if we understood what you are really trying to accomplish we might provide better answers. Why would you want a router to run OSPF on an interface and to not form neighbor relationship with other routers on that interface?
In addition to the passive interface alternative you might configure the OSPF timers on an interface so that they do not match the other router which will prevent forming neighbor relationships. Of you might configure different OSPF area ID on the interfaces which will also prevent forming neighbor relationship.
But why would you want to do these things?
HTH
Rick
05-27-2009 11:46 AM
Keith,
I agree with Rick. You could also use authentication between neighbors that you want to make adjacencies with, and the routers that you don't want to make adjacencies just don't configure authentication between those. Keep in mind that it will constantly try to make an adjacency, and this means more traffic (and possibly instability) in your network that's unnecessary. If you just want to limit what routes go to what routers, I would recommend using route-maps and distribution lists under the OSPF process.
HTH,
John
05-28-2009 02:07 AM
John/Rick,
Here is the scenario we are trying to address;
>> Our internal routing protocol is EIGRP.
>> A firewall is between 2 of our routers (security reguirement - external MPLS network (outside router) - firewall - internal network (inside router)
>> OSPF is for dynamic routing capabilities across the firewall ONLY.
My goal is to limit OSPF to the single interface of each router facing the firewall, thus keeping EIGRP intact everywhere else.
I hope this helps explain. If there are other options to consider, we are open to suggestions. (Unfortunately, removing / replacing / moving the firewall isn't one of them)
Thanks,
Keith
05-28-2009 02:20 AM
If you just want to limit OSPF to a single interface, would just using a network statement in the ospf router configuration section that only matches the one interface address accomplish what you desire?
e.g.
interface Ethernet
ip address 10.3.2.1 255.255.255.0
router ospf 10
network 10.3.2.1 0.0.0.0 area 3
[edit]
The key to the example, above, is network statements for OSPF match interface addresses (similar to ACLs). Interfaces are placed into OSPF; a little different from EIGRP. The mask on the network statement being 0.0.0.0 will only match one specific address. It doesn't matter what the mask is on the interface itself, although OSPF's VLSM will advertise the interface's mask, along with its address. In your case, you might be using a /30 on your interface, which then might look like:
interface Ethernet
ip address 10.3.2.1 255.255.255.252
router ospf 10
network 10.3.2.1 0.0.0.0 area 3
05-28-2009 02:27 AM
I do have the network statement limited to the single subnet of the interface facing the firewall as you show.
Being mostly experienced with EIGRP, I just wanted to make sure we weren't advertising out other interfaces on the router and limiting OSPF to 1 direction / interface.
It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true?
Thanks
05-28-2009 02:46 AM
"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "
Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.
"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.
02-15-2019 11:27 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: