VRF & OSPF passive interfaces
Hello,
if configuring OSPF for a VRF you cannot configure passive interfaces! The command does not even exist!
This seems to be related to CSCeb86068.
Does anyone have experiences with that issue??
Any intelligent solution??
Thanks
Juerg
1.For no neighbor in your VPN, you can try BGP as PE-CE routing protocol.
router bgp 65000
address-family ipv4 vrf school
network x.x.x.x mask x.x.x.x
no auto-summary
no synchronization
exit-address-family
R1#v all 172.16.1.0
BGP routing table entry for 172:16:172.16.1.0/24, version 373
Paths: (1 available, best #1, table school)
Flag: 0x820
Advertised to update-groups:
1 2
Local
0.0.0.0 from 0.0.0.0 (172.16.0.1)
Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
Extended Community: RT:172:16
2.If you still need use ospf and passive interface in your ospf vrf, upgrade to 12.4.2 or above. :)
Similar Messages
-
Pix/Asa OSPF passive interface
Hi.
I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
Regards BjornHi,
Don't define external interface as partecipating to OSPF process.
That is you have to define the two interface partecipating to OSPF process:
view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
I hope this helps.
Best regards.
Massimiliano. -
Hello,
We are migrating an ISP network from using EIGRP to OSPF. Some of their networks are running on a VRF, so to make a smooth migration we need to run both protocols on the same VRF, is this possible?
If so, are all the standard OSPF features available in the VRF? we are planning to use authenticacion (MD5) and NSSA (stub areas)
Thanks!
Alexospf with vrfs has some limitations like a lack of passive interfaces what seems to ruin sometimes a routing plan that you already have;
cheers
michal -
IOS-XR: EIGRP passive-interface default?
It appears there's no ability to make all interfaces passive by default in XR as there is in IOS.
Is there a reason for this or is it just that it has not been included yet?
Workaround is to configure all unnecessary interfaces as passive but I prefer to have all passive and then only enabled where needed.
TIA,Hi Gary,
I filed request CSCug38048 for this. It may take a day or so for it to show up in teh bug toolkit, but then you have something for tracking. I dont have a definitive release for this either, but I am trying to see if we can do this short(er) term.
As for the other question on the use of passive sparingly. I don't necessarily agree with that statement. Passive is very useful to include prefixes in the advertisement, but to prevent forming adj. Loopbacks are to be made passive, because it is a waste of cpy cycles trying to generate a hello on that stub interface and then drop it in software. Passive is the proper solution. Same thing with access facing interfaces that dont need adj to the CE's, but have to be included in the routing.
The alternative of using redistribute connected is indeed an option, but the disadvantage for that is that it creates EXTERNAL routes, in both OSPF and EIGRP, with different metric calculations.
The magnitude of "many" in this regard is dependent on the number of times you don't mind configuring "passive-interface" under the eigrp enabled interface configuration. For me personally that would be about 20
What I mean to say is, it is not dependent on a scaling limitation or anything other then operator/user.
cheers!
xander -
Passive-interface default on eigrp
When using the passive-interface default on a router, to advertise networks you have to use the no passive-interface Vlan20, for example, what happens to the following network statements, are they ignored? For example, I have the following config:
router eigrp 1
passive-interface default
no passive-interface vlan 1
no passive-interface vlan 2
no passive-interface vlan 3
no passive-interface vlan 4
network 10.0.0.0
network 172.0.0.0
no auto-summary
Will I still advertise the networks defined over the vlan interfaces?
Just curious.Hi Mason,
There is some historical reasoning here. Until IOS release 12.0(4)T, you could not specify a wildcard mask when configuring the 'network' statement for EIGRP. In fact, the 'network' statement would only accept classful (i.e. major) networks at that time. So the ability to add a wildcard mask has been a relatively recent invention.
However, there is absolutely no problem with using a '0.0.0.0' wildcard in order to limit the network statement to a single IP address. From a convenience perspective, though, people tend to use a wildcard mask that reflects the actual subnet mask used on the interface. Either way is perfectly acceptable.
Now, if you are using a protocol such as OSPF, the wildcard mask becomes a bit more significant. The following link describes why that is so:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009405a.shtml
Hope that helps - pls do rate the post if it does.
Paresh -
Passive-interface default resets configuration
Hello all,
I would like to run a scenario by you guys and get your input regarding the "passive-interface default" OSPF command. Let's assume I am working on an existing configured OSPF router with the following configuration:
router ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0
If I go and paste the duplicate configuration in as follows what would the expected result be?
router ospf 1 router-id 10.10.10.1 passive-interface default
My thoughts were that there would be no impact to OSPF, routing, or the likes. Unfortunately this is not the case. I have found on my device that when you repaste the "passive-interface default" command in to the config that it actually resets all existing "no passive-interface" commands and enables passive-interface on all interfaces globally.
Router#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0Router#config tRouter(config)#router ospf 1Router(config-router)# passive-interface defaultRouter(config-router)#endRouter#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default network 10.10.10.0
This is especially bad if you are performing maintenance on the router out of network where your connectivity requires a default route to be learned via OSPF. Has anyone else encountered this or do they feel this behavior to be a bit odd?Documentation says:
"The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the nopassive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces."
I'm not sure why it doesn't honor the existing no passive-interface commands but maybe it was something in the code that was necessary to put them all passive first.
At least it's good that you tested the behavior so you know what to expect. If you already have passive-interface why would you want to enter it again? If you want to make interfaces passive that were non passive before you could do no no-passive interface x/x.
Daniel Dib
CCIE #37149 -
Passive interface on a SVI, does that work or not?
Hello all,
At my office, I am trying to clean some of the routing table and fix some routing issues. We run eigrp for internal network. In one of the routers, eigrp neighbor relationship is through SVIs only. I'm actively trying to use "passive interface default" for all the L3 devices, and doing "no passive... " for the interfaces that are currently forming neighbor relationship. So, does that work the same for SVIs? Do I just do "no passive interface default int vlan XX" for all the SVI that are forming the neighbor relationship? will that work the same as for a physical interface? or do I need to track the physical ports that are actively using that vlan? I have looked around and haven't found a definitive answer. I would really appreciate some help.
Thank you in advance.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I know it works for OSPF, I would assume it would for EIGRP too, but cannot say for sure. -
Hi
i need to know with detail what does it mean this command"passive interface vlan 50"?;description;usefulllink it is very much appreciated.
10xs
aliHi Ali,
"passive-interface" router configuration command is applied to stop sending routing updates on an interface.
It behaves different for different routing protocol like for EIGRP the passive-interface command disables the transmission and receipt of EIGRP hello packets on an interface so the neighborship will not form on that interface which is configured as passive interface.
In OSPF, hello packets are not sent on an interface that is specified as passive. Hence, the router will not be able to discover any neighbors, and none of the OSPF neighbors will be able to see the router on that network.
But for RIP and IGRP it does not send the routing updates out on that interface which is configured as passive but still that interface will be advertised out from other interfaces.
Have a look at this link for more details
http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a008008784e.html#wp11573
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfindep.htm#wp1019396
Now depending upon the routing protocol you have configured interface vlan 50 will not advertise the routes out from the interface vlan 50 and if you have configured eigrp or ospf it will not form any neighborship with peer on interface vlan 50.
HTH, if yes please rate the post.
Ankur -
Passive interface command on RIP
Hi all,
This command below
passive-interface command give additional information to RIP, that it can't send updates via this particular interface ---
As per my understanding is this if we have 2 routers that are directly connected with each other and we enable this command on the interface of one of
routers then that router will not send any RIP updates to other router right?
secondly if these 2 routers are point to point connection we can ping directly conencted interfaces IP of routers because they are directly connected even though there is no routing protocol running between these two right?
3rd thing when i run sh ip protocols on one of router it shows
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 1 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
192.168.4.0
Routing Information Sources:
Gateway Distance Last Update
192.168.4.2 120 00:23:38 ****************************************************
here last update time keeps on incrementing but sh ip route does not show now that rip is running.
so this line means
Invalid after 180 seconds, hold down 180, flushed after 240
that after 240 secs router will flush the rip routes fron the routing table right?
but sh ip protocol will always show rip as routing protocol as we have config the rip and last update time will keep on incrementing right?
thanks
maheshHi Mahesh,
From the config guide:
To control the set of interfaces with which you want to exchange routing updates, you can disable the sending of routing updates on specified interfaces by configuring the
passive-interface
here is the link:
http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1crip.html
Correct, you do not need a routing protocol. The interfaces are directly connected. Now, if for example you add a loopback address to each router, you need a routing protocol or static router to reach the opposite router's loopback address.
The reason the interfaces/IPs do not show up in the RIP routing table is because they are directly connected and directly connected routes have a lower admin distance (1) which is preferred over rip which is 120.
yes
HTH -
"mpls traffic eng passive-interface" mapping on XR
Dears,
ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
ThanksHello Amr,
There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
HTH,
Rivalino -
EIGRP network vs. no passive-interface
What is the difference between configuring EIGRP with the "network" command, then specifying the IP addresses of the interfaces you want to use OR using the no passive-interface command.
The examples below might make more sense:
gi0/0.1 has an IP of 192.168.1.1
gi0/0.2 has an IP of 192.168.2.1
s1/0 has an IP of 192.168.3.1
s1/0 has an IP of 192.168.4.1
router eigrp 100
passive-interface default
no passive-interface GigabitEthernet0/0.1
no passive-interface GigabitEthernet0/0.2
no passive-interface Serial1/0
no passive-interface Serial1/1
network 192.168.0.0
no auto-summary
router eigrp 100
network 192.168.1.1
network 192.168.2.1
network 192.168.3.1
network 192.168.4.1
no auto-summary
Don't both of these configurations accomplish the same thing? If so, is there any advantage to using one over the other?
Thanks,
NateActually, on a technecality, they do not do the same thing. And it is one of the subtlties of the behavior of EIGRP that may be important to understand when preparing for the CCIE or when administering an EIGRP network.
The important aspect to recognize here is the classful network boundaries. The first example had network 192.168.0.0. This happens to be a class C network. And EIGRP would be looking for interfaces that are in that particular network. And it would not process the interfaces on 192.168.1.0 or 192.168.2.0 etc. Even though EIGRP works very well in a classless addressing environment, its roots are in a classful background. And one manifestation of that is the default behavior to treat the network statement as looking for classful boundaries. So in fact if you configure EIGRP with network 192.168.1.1 and then do a show run what you will see is 192.168.1.0 because EIGRP is processing classful network boundaries.
If the example had used a class B like 172.16.1.1 and 172.16.2.1 etc then the two approaches would have produced the same results.
There are two more aspects of this I would like to comment on. One is the background of the passive default. This ties back to the essentially classful nature of the processing that EIGRP does on the network statement. If you were bringing up a router that would eventually have many interfaces that would be subnets of the same classful network and you put in network 172.16.0.0 then EIGRP would attempt to process every interface with an address in the subnets of that network. But you might not want them to be advertised when they were configured, you might want to wait till there was actually something deployed there, or perhaps you might not want EIGRP to process a particular interface at all (perhaps that interface connected to something external to your network. Cisco introduced the passive default to accomodate this situation. With passive default EIGRP does not process the interface till you specifically activate it.
Another interesting aspect is that Cisco then introduced the ability within EIGRP to use a netmask on the network statement which allows you to specifically identify the particular interface you want to process. This addresses the classful default behavior and makes EIGRP truly more of a classless routing protocol.
So lets take the example that started this discussion and change it a little bit. Suppose there was a router with interfaces 172.16.1.1, 172.16.2.1, 172.16.3.1, and 172.16.4.1. And suppose that you wanted (for whatever reason) to include 1, 2, and 4 but not 3. How could you do it?
The more traditional solution would be to use passive default and leave the 3 as passive. Or the more recent solution would be to use network statements with netmask to include only the specific interfaces that you wanted.
HTH
Rick -
Hi
10xs ankur for ur previous link;so i need to control route propogation to access layer switchs using dist-list;and allow only default route to be advertised to the access layer(i'll configure access as eigrp stub.have a check to this config
access-switch
router eigrp 1
eigrp stub connected
Dist-node
Dist-node EIGRP configuration:
interface Port-channel1
description to Core
ip address 10.1.0.1 255.255.255.252
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
ip summary-address eigrp 10 10.2.0.0 255.255.0.0
interface GigabitEthernet1/1
description To Access (L3)
ip address 10.1.0.9 255.255.255.252
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
router eigrp 1
passive-interface default
no passive-interface Port-channel1
no passive-interface GigabitEthernet1/1
network 10.0.0.0
distribute-list Default out GigabitEthernet1/1
no auto-summary
ip Access-list standard Default
permit 0.0.0.0.
do i need inverse maske when i advertise the 10.0.0.0?like this config i prevent access switch to act as transit node?why should only permit default route?
10xs for ur reply
aliHi,
do i need inverse maske when i advertise the 10.0.0.0? ?
The answer depends on details of how you configure EIGRP. You have configured it like this:
router eigrp 1
network 10.0.0.0
then EIGRP will look for every interface on the router which is in 10.0.0.0 and include that interface into EIGRP processing.
If you want to configure it like this
router eigrp 1
network 10.0.0.0 0.0.0.3
then EIGRP will look for the interface that matches the address and mask and will find at most one interface that matches and that interface will be included into EIGRP processing.
HTH, Please rate if it does.
-amit singh -
Unable to add vrf to Vlan interface
Running 3750 in stack Version 15.0(2)SE2
I am geting error when trying to add vrf vlan int
switch(config)#interface Vlan101
switch(config-if)#ip vrf forwarding dummy
% CEF table 0x6 does not exist (Vlan101).
switch(config-if)#^Z
Please helpYes Cef is by default on the switch i believe
switch#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 10.34.68.1 FastEthernet0
0.0.0.0/8 drop
0.0.0.0/32 receive
10.34.68.0/24 attached FastEthernet0
10.34.68.0/32 receive FastEthernet0
10.34.68.1/32 attached FastEthernet0
10.34.68.2/32 attached FastEthernet0
10.34.68.11/32 attached FastEthernet0
10.34.68.13/32 attached FastEthernet0
10.34.68.14/32 attached FastEthernet0
10.34.68.15/32 receive FastEthernet0
10.34.68.255/32 receive FastEthernet0
10.145.172.0/32 receive Virtual3
127.0.0.0/8 drop
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive -
MGRE in VRF and Source Interface Issue
friends,
I have a scenario where i need to use multiple multi-point GRE tunnels and put them in VRF for each customer. The problem i am facing is that for each Tunnel i use Routers loopback in global table as source address. It works fine for one Tunnel. But as soon as i create another tunnel using the same loopback as source. Both tunnels go down. If i use different loopback addresses for each tunnel, all tunnels stays up. Can anyone tell me why i cannot use one loopback as source-address for all tunnels?? creating indiviual loopback for each tunnel doesn't seem scalable.
interface Tunnel0
ip vrf forwarding RED
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip nhrp map 10.0.0.4 172.16.1.4
ip nhrp map 10.0.0.5 172.16.1.5
ip nhrp network-id 1
tunnel source Loopback0
tunnel mode gre multipoint
end
interface Tunnel1
ip vrf forwarding BLUE
ip address 11.0.0.1 255.255.255.0
no ip redirects
ip nhrp map 11.0.0.6 172.16.1.6
ip nhrp network-id 2
tunnel source Loopback1
tunnel mode gre multipoint
end
interface FastEthernet0/0
description *** Connected to Customers for mGRE ***
ip address 172.16.1.1 255.255.255.0
end
interface Loopback0
ip address 1.1.1.254 255.255.255.255
endHello
Can you provide show interface tunnel
Harish -
Hi
Because of a migation i need two connectin from one 6500 to a 3550. See the following scenario (just two switches!)
6500 ---------------- 3550
OSPF 100 -- vlan1 -- OSPF 100
OSPF 100 -- vlan2 -- OSPF 1000 vrf C1
Everythings works fine at the start, which is good. The bad thing, after i reboot the 3550 i have no neighborship from 3550 OSPF 1000 vrf C1 to 6500 global OSPF.
Thats because 3550 OSPF 1000 sends no hellos out of vlan 2. So probalby something's broken with the process.
Clear ospf process doesn't help.
The workaround is to delete OSPF 200 vrf C1 configuration and configure it again. But this is not what i want in a live environment.
Has anybody an idea?
cheers patrickHi Saul,
The issue is that the ASR9K knows how to get to 172.16.161.6 (or 172.16.19.30) but the EX8208 does not know how to get back to 172.16.19.6, which is the source address used for the ping request. This is because the C6500 redistribute ospf into bgp but it does not redistribute bgp into ospf.
Regards
Maybe you are looking for
-
ML setup from pen drive question
Hi, I'd like to upgrade a Mac running 10.5 (Leopard) to ML. I've made a setup pendrive. Is it going to work the same way it did with Snow Leopard or do I have to setup Snow Leopard first and then install ML? Any other option? Thank you
-
External HD not showing up on Desktop
I've been using a WD 500gb Firewire HD for my Time Machine backup for some time now without problem. Just noticed that the WD disc is not showing up on my G5 iMac Desktop and the last backup was on March 8. I've tried unplugging the WD drive, disconn
-
'stopped' status when opening pdf in Firefox
We're having problems opening the pdf's on our site in Firefox with Adobe Reader. More than 50% of the time the pdf will not open and the status bar shows 'stopped'. It's intermittent, the same file can fail to load 3 times but work on the fourth a
-
Is latest Java SE 1.4.2_42 available to download? Need Patch!
Dear All, Because the latest security issue (Feb/2013) also affect 1.4.2, it need to be patched. [http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html] And there is also a release note for 1.4.2_42 that fix that securit
-
Question: Oracle Modules and the corresponding Admin Roles
Hi, I would like to know what Admin module the following Oracle apps come under. For example, I know WSH (Shipping) comes under the Fulfillment Approver Admin. I would like similar information on the following modules. Here are the admin roles that w