Disabling OSPF on Certain Interfaces

Disabling OSPF on Certain Interfaces

Problem

You want to prevent the some of a router's interfaces from taking part in OSPF.

Solution

The passive-interface configuration command effectively disables OSPF on an interface by preventing it from forming OSPF adjacencies:

Router3#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#router ospf 44
Router3(config-router)#network 0.0.0.0 255.255.255.255 area 100
Router3(config-router)#passive-interface Ethernet0
Router3(config-router)#exit
Router3(config)#end
Router3#

A useful variant of this command allows you to make all interfaces passive by default until you explicitly enable them:

Router3#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#router ospf 44
Router3(config-router)#network 0.0.0.0 255.255.255.255 area 100
Router3(config-router)#passive-interface default
Router3(config-router)#no passive-interface Ethernet0
Router3(config-router)#exit
Router3(config)#end
Router3#

Discussion

OSPF will not start to exchange any routing information until two routers on a segment have formed an adjacency and agreed on the various area parameters, including any authentication requirements. So simply preventing one router from taking part in this handshake is sufficient to prevent the exchange of OSPF information on the interface. Also, while you can use a passive-interface command as shown in the example, you can also prevent an interface from taking part in OSPF by just using more restrictive network commands. In the example, the network statement includes every possible route prefix, and consequently every IP-enabled interface. But you could just as easily use a network statement that restricts OSPF to a list of specific interfaces, as follows:

Router3#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#router ospf 44
Router3(config-router)#network 172.20.1.2 0.0.0.0 area 100
Router3(config-router)#network 172.20.10.1 0.0.0.0 area 100
Router3(config-router)#exit
Router3(config)#end
Router3#

Any interfaces that aren't explicitly included by a network statement will not take part in OSPF. On the other hand, sometimes a router can have a large number of interfaces, and you want all but one or two of them to take part in OSPF. In this case, it is more convenient to use passive interface commands.

To see the effect of this command, we'll look at a network both with and without the passive interface configured. Here is the neighbor list before configuring any passive interfaces:

Router3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
172.20.220.1 1 FULL/BDR 00:00:39 172.20.10.2 Ethernet0
172.25.25.1 1 FULL/ - 00:00:37 172.20.1.1 Serial0.1
Router3#

Then, after making the Ethernet0 interface passive, the router drops all of the neighbor relationships on this interface. We are left with only one neighbor:

Router3#show ip ospf neighbor 

Neighbor ID Pri State Dead Time Address Interface
172.25.25.1 1 FULL/ - 00:00:38 172.20.1.1 Serial0.1
Router3#

Of course, this also affects any routes that point to neighboring routers through this interface. This is the routing table before configuring Ethernet0 as passive:

Router3#show ip route ospf
172.20.0.0/16 is variably subnetted, 5 subnets, 3 masks
O 172.20.220.1/32 [110/11] via 172.20.10.2, 00:00:02, Ethernet0
O 172.20.200.1/32 [110/11] via 172.20.10.2, 00:00:02, Ethernet0
O*IA 0.0.0.0/0 [110/3572] via 172.20.1.1, 00:00:02, Serial0.1
Router3#

With the passive interface configured, all of the corresponding routes are also gone:

Router3#show ip route ospf
O*IA 0.0.0.0/0 [110/3572] via 172.20.1.1, 00:01:53, Serial0.1
Router3#

In this case, the routes disappear completely because there is no other path through this network to reach these destination prefixes. If other paths did exist, then the routing table would still show the routes, but it would indicate that they are reachable through different interfaces.

The passive-interface default command has exactly the same effect as the passive-interface command, except that it forces you to explicitly enable any interfaces that you do want to send and receive OSPF packets by means of a no passive-interface command:

Router3(config)#router ospf 44
Router3(config-router)#network 0.0.0.0 255.255.255.255 area 100
Router3(config-router)#passive-interface default
Router3(config-router)#no passive-interface Ethernet0
Router3(config-router)#exit
Router3(config)#end
Router3#

The great advantage to this configuration is that, with a single network command, as we have shown here, you can force OSPF to exchange routing information about all of its interfaces, but only to send OSPF packets through a few interfaces. In many cases, this can greatly simplify your router configuration.