Which interfaces do I need to keep active for OSPF (no passive-interface)

Answered Question
Jul 17th, 2010
User Badges:

Hi!


We have two DMVPN networks (2 hubs with some amount of spokes), the hubs are also connected with each other by encrypted tunnel (GRE + IPSec).

Topology is 2 stars with connected centers. Centers are company's regional centers, and spokes are small branches in one of 2 regions. So in whole it is company's Intranet.


All spoke routers connect to their hub via 2 lines, OSPF is used. On all routers we have 2 external interfaces, 2 Tunnel interfaces, 1 LAN and 1 Loopback0 interface (the latter is set as router id for OSPF on the spokes). The hubs also have the second Loopback1, which is used as their router id for OSPF. (I don't think the second Loopback is really needed, initially it was used when our provider set up BGP between 2 hubs, which then was replaced by OSPF. But it is not so important...)


The target was: to provide reachability of all branches networks between each other, plus regional centers provide Internet connection for spokes of its region (only! => "Default root should not be redistributed between hubs", something like that).



Recently I mentioned we have quite different settings on the spokes regarding passive interfaces. I see everywhere we have both Tunnel interfaces as non-passive, but on some spokes we have also VLAN1 (LAN interface) made non-passive, on some - Loopback0. And on the hubs only tunnel interfaces are not passive (everywhere " /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} passive-interface default" is used).


I want to understand which interfaces I really need to be non-passive. I read about OSPF adjacency, but I don't understand do I need to involve LAN and Loopback interfaces into adjacencies to achieve the above mentioned target?



P.S. Here is the fragments of the routers OSPF configs (to have the full picture):


Hub of region 1:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

router ospf 1

log-adjacency-changes

redistribute static subnets route-map static_to_osfp_1

redistribute ospf 2 subnets match internal external 1 external 2

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.0.0 0.0.0.255 area 0

network 192.168.96.0 0.0.0.255 area 0

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.100 0.0.0.0 area 0

default-information originate

!

router ospf 2

router-id 172.16.1.1

log-adjacency-changes

redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2

passive-interface default

no passive-interface Tunnel3

no passive-interface Tunnel4

network 192.168.91.0 0.0.0.255 area 0

network 192.168.93.0 0.0.0.255 area 0


192.168.0.0 is the regional center network address,

192.168.98.100  is the hub Loopback0 ip,

192.168.96.0 and 192.168.97.0 are the  network addresses, from which the hub and regions spokes Tunnel  interfaces ip addresses are.


192.168.91.0 and 192.168.93.0 are the network addresses, from which the  hubs Tunnel interfaces ip addresses are (for tunnels between hubs!).



Spoke of region 1:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

router ospf 1

log-adjacency-changes

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.11.0 0.0.0.255 area 0

network 192.168.96.0 0.0.0.255 area 0

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.11 0.0.0.0 area 0


192.168.11.0 is the respective branch network address,

192.168.98.11 is the spoke Loopback0 ip,

192.168.96.0 and 192.168.97.0 are the network addresses, from which the hub and regions spokes Tunnel interfaces ip addresses are.




Hub of region 2:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

router ospf 1

router-id 192.168.98.30

log-adjacency-changes

redistribute ospf 2 subnets match internal external 1 external 2

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.30.0 0.0.0.255 area 0

network 192.168.94.0 0.0.0.255 area 0

network 192.168.95.0 0.0.0.255 area 0

network 192.168.98.30 0.0.0.0 area 0

default-information originate

!

router ospf 2

router-id 172.16.2.1

log-adjacency-changes

redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2

passive-interface default

no passive-interface Tunnel3

no passive-interface Tunnel4

network 192.168.91.0 0.0.0.255 area 0

network 192.168.93.0 0.0.0.255 area 0


I think there is no need to explain about addresses, the principle is the same.



Spoke of region 2:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

router ospf 1

router-id 192.168.98.31

log-adjacency-changes

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";}

no passive-interface Vlan1

network 192.168.31.0 0.0.0.255 area 0

network 192.168.94.0 0.0.0.255 area 0

network 192.168.95.0 0.0.0.255 area 0

network 192.168.98.31 0.0.0.0 area 0


Thanks in advance.

Correct Answer by Richard Burts about 6 years 10 months ago

Alen


I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.


So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.


HTH


Rick

Correct Answer by jason.henderson about 6 years 10 months ago

Hi,


I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any).  As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.


http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.



Hope this helps,

Jason.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
jason.henderson Sat, 07/17/2010 - 07:59
User Badges:

Hi,


I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any).  As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.


http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.



Hope this helps,

Jason.

Correct Answer
Richard Burts Sat, 07/17/2010 - 11:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Alen


I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.


So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.


HTH


Rick

Actions

This Discussion