When the “passive-interface” command is missing from OSPF

A few days ago a member of the cisco-nsp mailing list asked an interesting question: “the passive-interface command is not available in a VRF OSPF process. What can I do?”

It turned out he stumbled across CSCeb86068, which is already fixed in a later software release for his platform.

The passive-interface command tells the routing process to ignore packets received from the specified interface. In case of OSPF, the relevant packets are the hello packets, as an OSPF router will not exchange routing updates without an established adjacency. You can get the same results by deploying an inbound access list on the interface (which is the functionally equivalent workaround for this bug), although this method generates more configuration overhead than the OSPF-specific solution.

On the other hand, it’s a good practice to have inbound access lists dropping unnecessary protocols on the stub (client-only) interfaces, so it might be very simple to add OSPF to the list of undesired protocols.

You could also use another workaround: declare only the transit interfaces in the OSPF process (or use per-interface ip ospf area configuration command) and redistribute stub interface prefixes into OSPF, but this solution unnecessarily pollutes the OSPF database with type-4 and type-5 LSAs.

1 comment:

  1. not sure if it works here, but I usually find it best practice to have:

    router ospf x
    passive-interface default

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.