OSPF - limit neighbors questions

Answered Question
May 27th, 2009

What options are there to limit which routers OSPF neighbors form with? I am aware of limiting interfaces (via "Passive-Interface") that participate in OSPF advertisements, but I was wondering if there were other / more efficient options ---> especially in a router with many interfaces.

Any suggestions?

I have this problem too.
0 votes
Correct Answer by Joseph W. Doherty about 7 years 7 months ago

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "

Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.

"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Wed, 05/27/2009 - 11:12

Keith

Perhaps if we understood what you are really trying to accomplish we might provide better answers. Why would you want a router to run OSPF on an interface and to not form neighbor relationship with other routers on that interface?

In addition to the passive interface alternative you might configure the OSPF timers on an interface so that they do not match the other router which will prevent forming neighbor relationships. Of you might configure different OSPF area ID on the interfaces which will also prevent forming neighbor relationship.

But why would you want to do these things?

HTH

Rick

John Blakley Wed, 05/27/2009 - 11:46

Keith,

I agree with Rick. You could also use authentication between neighbors that you want to make adjacencies with, and the routers that you don't want to make adjacencies just don't configure authentication between those. Keep in mind that it will constantly try to make an adjacency, and this means more traffic (and possibly instability) in your network that's unnecessary. If you just want to limit what routes go to what routers, I would recommend using route-maps and distribution lists under the OSPF process.

HTH,

John

kst.amand Thu, 05/28/2009 - 02:07

John/Rick,

Here is the scenario we are trying to address;

>> Our internal routing protocol is EIGRP.

>> A firewall is between 2 of our routers (security reguirement - external MPLS network (outside router) - firewall - internal network (inside router)

>> OSPF is for dynamic routing capabilities across the firewall ONLY.

My goal is to limit OSPF to the single interface of each router facing the firewall, thus keeping EIGRP intact everywhere else.

I hope this helps explain. If there are other options to consider, we are open to suggestions. (Unfortunately, removing / replacing / moving the firewall isn't one of them)

Thanks,

Keith

Joseph W. Doherty Thu, 05/28/2009 - 02:20

If you just want to limit OSPF to a single interface, would just using a network statement in the ospf router configuration section that only matches the one interface address accomplish what you desire?

e.g.

interface Ethernet

ip address 10.3.2.1 255.255.255.0

router ospf 10

network 10.3.2.1 0.0.0.0 area 3

[edit]

The key to the example, above, is network statements for OSPF match interface addresses (similar to ACLs). Interfaces are placed into OSPF; a little different from EIGRP. The mask on the network statement being 0.0.0.0 will only match one specific address. It doesn't matter what the mask is on the interface itself, although OSPF's VLSM will advertise the interface's mask, along with its address. In your case, you might be using a /30 on your interface, which then might look like:

interface Ethernet

ip address 10.3.2.1 255.255.255.252

router ospf 10

network 10.3.2.1 0.0.0.0 area 3

kst.amand Thu, 05/28/2009 - 02:27

I do have the network statement limited to the single subnet of the interface facing the firewall as you show.

Being mostly experienced with EIGRP, I just wanted to make sure we weren't advertising out other interfaces on the router and limiting OSPF to 1 direction / interface.

It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true?

Thanks

Correct Answer
Joseph W. Doherty Thu, 05/28/2009 - 02:46

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "

Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.

"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

Actions

This Discussion