Solved: Re: OSPF packets on L2 port

CSCO12099251 · ‎01-28-2018

Hi All,

Hi,

I have a silly question.

If I have L3 switch with VLAN 10 SVI enabled for OSPF without passive. I have 2 neighbor routers and a firewall on same vlan (via access ports). However I want not to send multicast only for port connecting to firewall as firewall is not participating in OSPF. How can I achieve it?

Also please advise if we enable ospf on SVI10 without passive, will that send ospf multicast on all the physical ports which are part of vlan 10 (either access or trunk)?

Regards,

Godwin. S

Predrag Jovic · ‎01-29-2018

Way to achieve that no OSPF packet is ever reaching firewall would be to configure OSPF router to use unicast instead of multicast.

interface fa0/0

ip ospf network point-to-multipoint non-broadcast

ip address z.z.z.z c.c.c.c

!

router ospf 1

neighbor x.x.x.x

network y.y.y.y

OSPF will use unicast instead of multicast, only configured neighbors will get OSPF packets from neighboring routers.

View solution in original post

Reza Sharifi · ‎01-28-2018

Hi,

If you are referring to 224.0.0.5 and 224.0.0.6 multicast addresses, have a look at this link:

https://supportforums.cisco.com/t5/wan-routing-and-switching/dr-bdr-communication/td-p/1142718

HTH

CSCO12099251 · ‎01-28-2018

Hi Reza,

Thanks for your reply. My question is simple as below.

If I want to disable OSPF hello messages from particular ports from a VLAN, how to achieve it? I know if we want to disable it for complete VLAN, then we can do it by 'passive interface' under SVI. My concern is how to disable on particular ports.

For example, I want my l3 switch to form OSPF neighbor only with routers and not with firewalls (though all connected to my same L3 switch via access ports). How can we do it?

Reza Sharifi · ‎01-28-2018

Hi,

So, in this case, if the firewall is not running OSPF, you should not see any hello packets on the port that is connected to the firewall.

HTH

CSCO12099251 · ‎01-28-2018

Hi Reza,

Understand that L3 switch does not see any packets from Firewall as firewall is not running OSPF. But what about on Firewall side, will firewall see ospf packets from L3 switch, as OSPF is enabled on switch side?

Reza Sharifi · ‎01-28-2018

Hi,

The firewall should not see any hello packets if there is no OSPF running.

HTH

Jon Marshall · ‎01-29-2018

Yes the firewall will see OSPF hellos because you have enabled OSPF on the SVI for that vlan.

I suppose you could try using an acl on the port connecting to the firewall but that would only work if the switch supported egress acls and most only support ingress if I recall correctly.

Jon

Predrag Jovic · ‎01-29-2018

Way to achieve that no OSPF packet is ever reaching firewall would be to configure OSPF router to use unicast instead of multicast.

interface fa0/0

ip ospf network point-to-multipoint non-broadcast

ip address z.z.z.z c.c.c.c

!

router ospf 1

neighbor x.x.x.x

network y.y.y.y

OSPF will use unicast instead of multicast, only configured neighbors will get OSPF packets from neighboring routers.

Richard Burts · ‎01-29-2018

This is a creative solution and gets +5 from me. (wish I had thought of it when I read the original post)

Note that similar configuration needs to be configured on all 3 devices running OSPF on this vlan/subnet.

HTH

Rick

HTH

Rick