OSPF - limit neighbors questions

Answered Question
May 27th, 2009
User Badges:

What options are there to limit which routers OSPF neighbors form with? I am aware of limiting interfaces (via "Passive-Interface") that participate in OSPF advertisements, but I was wondering if there were other / more efficient options ---> especially in a router with many interfaces.


Any suggestions?

Correct Answer by Joseph W. Doherty about 7 years 12 months ago

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "


Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.


"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Wed, 05/27/2009 - 11:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Keith


Perhaps if we understood what you are really trying to accomplish we might provide better answers. Why would you want a router to run OSPF on an interface and to not form neighbor relationship with other routers on that interface?


In addition to the passive interface alternative you might configure the OSPF timers on an interface so that they do not match the other router which will prevent forming neighbor relationships. Of you might configure different OSPF area ID on the interfaces which will also prevent forming neighbor relationship.


But why would you want to do these things?


HTH


Rick

John Blakley Wed, 05/27/2009 - 11:46
User Badges:
  • Purple, 4500 points or more

Keith,


I agree with Rick. You could also use authentication between neighbors that you want to make adjacencies with, and the routers that you don't want to make adjacencies just don't configure authentication between those. Keep in mind that it will constantly try to make an adjacency, and this means more traffic (and possibly instability) in your network that's unnecessary. If you just want to limit what routes go to what routers, I would recommend using route-maps and distribution lists under the OSPF process.


HTH,

John

kst.amand Thu, 05/28/2009 - 02:07
User Badges:

John/Rick,


Here is the scenario we are trying to address;


>> Our internal routing protocol is EIGRP.


>> A firewall is between 2 of our routers (security reguirement - external MPLS network (outside router) - firewall - internal network (inside router)


>> OSPF is for dynamic routing capabilities across the firewall ONLY.


My goal is to limit OSPF to the single interface of each router facing the firewall, thus keeping EIGRP intact everywhere else.


I hope this helps explain. If there are other options to consider, we are open to suggestions. (Unfortunately, removing / replacing / moving the firewall isn't one of them)


Thanks,

Keith

Joseph W. Doherty Thu, 05/28/2009 - 02:20
User Badges:
  • Super Bronze, 10000 points or more

If you just want to limit OSPF to a single interface, would just using a network statement in the ospf router configuration section that only matches the one interface address accomplish what you desire?


e.g.


interface Ethernet

ip address 10.3.2.1 255.255.255.0


router ospf 10

network 10.3.2.1 0.0.0.0 area 3


[edit]

The key to the example, above, is network statements for OSPF match interface addresses (similar to ACLs). Interfaces are placed into OSPF; a little different from EIGRP. The mask on the network statement being 0.0.0.0 will only match one specific address. It doesn't matter what the mask is on the interface itself, although OSPF's VLSM will advertise the interface's mask, along with its address. In your case, you might be using a /30 on your interface, which then might look like:


interface Ethernet

ip address 10.3.2.1 255.255.255.252


router ospf 10

network 10.3.2.1 0.0.0.0 area 3


kst.amand Thu, 05/28/2009 - 02:27
User Badges:

I do have the network statement limited to the single subnet of the interface facing the firewall as you show.


Being mostly experienced with EIGRP, I just wanted to make sure we weren't advertising out other interfaces on the router and limiting OSPF to 1 direction / interface.


It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true?


Thanks

Correct Answer
Joseph W. Doherty Thu, 05/28/2009 - 02:46
User Badges:
  • Super Bronze, 10000 points or more

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "


Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.


"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

Actions

This Discussion