cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2810
Views
0
Helpful
7
Replies

OSPF - limit neighbors questions

kst.amand
Level 1
Level 1

What options are there to limit which routers OSPF neighbors form with? I am aware of limiting interfaces (via "Passive-Interface") that participate in OSPF advertisements, but I was wondering if there were other / more efficient options ---> especially in a router with many interfaces.

Any suggestions?

1 Accepted Solution

Accepted Solutions

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "

Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.

"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

View solution in original post

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Keith

Perhaps if we understood what you are really trying to accomplish we might provide better answers. Why would you want a router to run OSPF on an interface and to not form neighbor relationship with other routers on that interface?

In addition to the passive interface alternative you might configure the OSPF timers on an interface so that they do not match the other router which will prevent forming neighbor relationships. Of you might configure different OSPF area ID on the interfaces which will also prevent forming neighbor relationship.

But why would you want to do these things?

HTH

Rick

HTH

Rick

Keith,

I agree with Rick. You could also use authentication between neighbors that you want to make adjacencies with, and the routers that you don't want to make adjacencies just don't configure authentication between those. Keep in mind that it will constantly try to make an adjacency, and this means more traffic (and possibly instability) in your network that's unnecessary. If you just want to limit what routes go to what routers, I would recommend using route-maps and distribution lists under the OSPF process.

HTH,

John

HTH, John *** Please rate all useful posts ***

John/Rick,

Here is the scenario we are trying to address;

>> Our internal routing protocol is EIGRP.

>> A firewall is between 2 of our routers (security reguirement - external MPLS network (outside router) - firewall - internal network (inside router)

>> OSPF is for dynamic routing capabilities across the firewall ONLY.

My goal is to limit OSPF to the single interface of each router facing the firewall, thus keeping EIGRP intact everywhere else.

I hope this helps explain. If there are other options to consider, we are open to suggestions. (Unfortunately, removing / replacing / moving the firewall isn't one of them)

Thanks,

Keith

If you just want to limit OSPF to a single interface, would just using a network statement in the ospf router configuration section that only matches the one interface address accomplish what you desire?

e.g.

interface Ethernet

ip address 10.3.2.1 255.255.255.0

router ospf 10

network 10.3.2.1 0.0.0.0 area 3

[edit]

The key to the example, above, is network statements for OSPF match interface addresses (similar to ACLs). Interfaces are placed into OSPF; a little different from EIGRP. The mask on the network statement being 0.0.0.0 will only match one specific address. It doesn't matter what the mask is on the interface itself, although OSPF's VLSM will advertise the interface's mask, along with its address. In your case, you might be using a /30 on your interface, which then might look like:

interface Ethernet

ip address 10.3.2.1 255.255.255.252

router ospf 10

network 10.3.2.1 0.0.0.0 area 3

I do have the network statement limited to the single subnet of the interface facing the firewall as you show.

Being mostly experienced with EIGRP, I just wanted to make sure we weren't advertising out other interfaces on the router and limiting OSPF to 1 direction / interface.

It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true?

Thanks

"It sounds like with just the network statement as we have it, we are hitting our goal and we don't need the passive-interface - is that true? "

Correct. OSPF would only use the one interface, if you configure the network statement's mask as I've described.

"passive-interface" might be used if you had placed an interface into OSPF but didn't want to peer with other OSPF neighbors. For instance, on a user facing access subnet, you might use it as one of the methods to keep your router from peering with a user host PC running OSPF and further not even send hello packets that could be sniffed.

will
Level 3
Level 3
Just sharing the love! :) Here is another way to do this by making OSPF a non-broadcast protocol on the interfaces you want to control. I was having some problems when neighbors both not defined on hub and spoke sides. and I inserted two neighbor IP's, one for the ospf router-ID (loopback) and one for the local broadcast subnet IP. it seemed to be randomly failing without both neighbors defined. I should note, that in my case, there ended up being just a DROTHER and not DR/BDR:
 
=== rtra - single point side (neighbor with rtr1, want to be "DR"):
int vlan100
 ip ospf network non-broadcast
 ip ospf priority 10  ! might not need this line
!
router ospf 100
 neighbor <rtr1 gi0/0/1>
 neighbor <rtr1 loop>
=== rtrb - single point side (neighbor with rtr1, want to be "DR"):
int vlan100
 ip ospf network non-broadcast
 ip ospf priority 5   ! might not need this line
!
router ospf 100
 neighbor <rtr1 gi0/0/1>
 neighbor <rtr1 loop>
=== rtr1 - multipoint side (want to pair with both rtra/rtrb):
interface GigabitEthernet0/0/1
 ip ospf network point-to-multipoint non-broadcast
 ip ospf priority 0    ! might not need this line
!
router ospf 100
 neighbor <rtra vlan100>
 neighbor <rtrb vlan100>
 neighbor <rtra loop>
 neighbor <rtrb loop>
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco