OSPF messages are forwarded to all OSPF-enabled interfaces by default. However, some interfaces not needed these messages. When you configure the OSPF protocol on an interface using the network command, two things will occur:
- All interfaces configured with a network command; will be advertised in OSPF.
- OSPF hello packets sent on these interfaces periodically.
Router1, Router2, Router3 and Router4 has been configured with OSPF protocols. If we Rouer1, connected to network 192.168.10.0 /24 which has no OSPF neighbour. Router1 also wants to advertise this network to other routers.
Once the router is configured with a network command to advertise 192.168.10.0 /24 in OSPF, Router1 will also send OSPF hello packets towards 192.168.10.0/24, where no OSPF enable router is available. So, this is not a good idea because of:
- Inefficient Use of Bandwidth – The unwanted OSPF multicast messages consumed network bandwidth.
- Inefficient Use of Resources – The devices on the network also process the message and eventually discard the message.
- Increased Security Risk – Advertising updates on a broadcast network is also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then Router1 will try to become neighbours. An attacker could advertise fake routes using this technique that misdirect traffic.
Configuring OSPF Passive Interfaces
We can prevent this by configuring “passive-interface”. We can configure OSPF passive interfaces using passive-interface command in router configuration mode.
This command tells OSPF not to send hello packets on desired interfaces. But still, allow that network to be advertised to other routers. Figure 2, below illustrates the configuration of the passive interfaces.
OSPF Passive interfaces accept routing updates but do not send them. as shown in Figure 3. Specifically, the passive-interface command stops routing messages from sending out the particular interface.
But, the network that the particular interface belongs to is still advertised in routing messages that sent out other interfaces. The OSPF passive interfaces cannot form a neighbour adjacency. Because link-state packets cannot be sent or acknowledged over the OSPF passive interfaces.
The show ip protocols command verify the passive-interface configuration, as shown in Figure 3. The fast Ethernet 1/0 interface now listed under the Passive Interface(s) section but network 192.168.10.0 still listed under Routing for Networks; which means that this network is still incorporated as a route entry in OSPF updates.
We can also configure all interfaces passive using the “passive-interface default” command. We can cancel the passive Interfaces using the no passive-interface command. The passive-interface command also same both for IPv4 and IPv6.
