Solved: Which interfaces do I need to keep active for OSPF (no passive-interface)

Alen Danielyan · ‎07-17-2010

Hi!

We have two DMVPN networks (2 hubs with some amount of spokes), the hubs are also connected with each other by encrypted tunnel (GRE + IPSec).

Topology is 2 stars with connected centers. Centers are company's regional centers, and spokes are small branches in one of 2 regions. So in whole it is company's Intranet.

All spoke routers connect to their hub via 2 lines, OSPF is used. On all routers we have 2 external interfaces, 2 Tunnel interfaces, 1 LAN and 1 Loopback0 interface (the latter is set as router id for OSPF on the spokes). The hubs also have the second Loopback1, which is used as their router id for OSPF. (I don't think the second Loopback is really needed, initially it was used when our provider set up BGP between 2 hubs, which then was replaced by OSPF. But it is not so important...)

The target was: to provide reachability of all branches networks between each other, plus regional centers provide Internet connection for spokes of its region (only! => "Default root should not be redistributed between hubs", something like that).

Recently I mentioned we have quite different settings on the spokes regarding passive interfaces. I see everywhere we have both Tunnel interfaces as non-passive, but on some spokes we have also VLAN1 (LAN interface) made non-passive, on some - Loopback0. And on the hubs only tunnel interfaces are not passive (everywhere "passive-interface default" is used).

I want to understand which interfaces I really need to be non-passive. I read about OSPF adjacency, but I don't understand do I need to involve LAN and Loopback interfaces into adjacencies to achieve the above mentioned target?

P.S. Here is the fragments of the routers OSPF configs (to have the full picture):

Hub of region 1:

router ospf 1

log-adjacency-changes

redistribute static subnets route-map static_to_osfp_1

redistribute ospf 2 subnets match internal external 1 external 2

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.0.0 0.0.0.255 area 0

network 192.168.96.0 0.0.0.255 area 0

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.100 0.0.0.0 area 0

default-information originate

!

router ospf 2

router-id 172.16.1.1

log-adjacency-changes

redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2

passive-interface default

no passive-interface Tunnel3

no passive-interface Tunnel4

network 192.168.91.0 0.0.0.255 area 0

network 192.168.93.0 0.0.0.255 area 0

192.168.0.0 is the regional center network address,

192.168.98.100 is the hub Loopback0 ip,

192.168.96.0 and 192.168.97.0 are the network addresses, from which the hub and regions spokes Tunnel interfaces ip addresses are.

192.168.91.0 and 192.168.93.0 are the network addresses, from which the hubs Tunnel interfaces ip addresses are (for tunnels between hubs!).

Spoke of region 1:

router ospf 1

log-adjacency-changes

passive-interface default

no passive-interface Loopback0

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.11.0 0.0.0.255 area 0

network 192.168.96.0 0.0.0.255 area 0

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.11 0.0.0.0 area 0

192.168.11.0 is the respective branch network address,

192.168.98.11 is the spoke Loopback0 ip,

192.168.96.0 and 192.168.97.0 are the network addresses, from which the hub and regions spokes Tunnel interfaces ip addresses are.

Hub of region 2:

router ospf 1

router-id 192.168.98.30

log-adjacency-changes

redistribute ospf 2 subnets match internal external 1 external 2

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

network 192.168.30.0 0.0.0.255 area 0

network 192.168.94.0 0.0.0.255 area 0

network 192.168.95.0 0.0.0.255 area 0

network 192.168.98.30 0.0.0.0 area 0

default-information originate

!

router ospf 2

router-id 172.16.2.1

log-adjacency-changes

redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2

passive-interface default

no passive-interface Tunnel3

no passive-interface Tunnel4

network 192.168.91.0 0.0.0.255 area 0

network 192.168.93.0 0.0.0.255 area 0

I think there is no need to explain about addresses, the principle is the same.

Spoke of region 2:

router ospf 1

router-id 192.168.98.31

log-adjacency-changes

passive-interface default

no passive-interface Tunnel1

no passive-interface Tunnel2

no passive-interface Vlan1

network 192.168.31.0 0.0.0.255 area 0

network 192.168.94.0 0.0.0.255 area 0

network 192.168.95.0 0.0.0.255 area 0

network 192.168.98.31 0.0.0.0 area 0

Thanks in advance.

jason.henderson · ‎07-17-2010

Hi,

I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any). As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.

Hope this helps,

Jason.

View solution in original post

Richard Burts · ‎07-17-2010

Alen

I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.

So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.

HTH

Rick

HTH

Rick

View solution in original post

jason.henderson · ‎07-17-2010

Hi,

I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any). As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.

Hope this helps,

Jason.

Richard Burts · ‎07-17-2010

Alen

I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.

So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.

HTH

Rick

HTH

Rick

Alen Danielyan · ‎07-18-2010

Thank you very much for your help!