Passive-Interface ~Stops Routing Protocols from Sending Packets

What is passive-interface ?

Passive-interface is an interface that does not send routing protocol packets.

Routing protocols such as OSPF and RIP/EIGRP are enabled on a router interface-by-interface basis. Then, packets of the corresponding routing protocol are sent from the interface where the routing protocol is enabled. By configuring an interface with routing protocol enabled as a passive-interface, it stops the sending of routing protocol packets.

Interface to be configured as passive-interface

An interface to be configured as a passive interface is an interface to which only PCs, servers, etc. are connected, and no other routers using the same routing protocol are present.

Routing protocol packets only need to be sent and received between routers that use the same routing protocol. It is meaningless to send routing protocol packets to an interface that is connected only to PCs or servers. It will only consume extra network bandwidth. Also, if routing protocol packets are captured by malicious users, it could be a foothold for unauthorized access, which is undesirable for security reasons. Therefore, stop sending routing protocol packets as a passive interface.

Note that OSPF and EIGRP do not send Hello packets either. If you make it a passive interface, you will not be able to establish a neighbor on that interface either.

Common misconfigurations

When configuring routing protocols, there is a common configuration mistake. It is to forget to enable the routing protocol on the interface where only PCs, servers, etc. are connected.

If the routing protocol is not enabled on an interface, no routing protocol packets will be sent from that interface. So you might think, “Why don’t we just disable the routing protocol without bothering to make it a passive interface?” This is the reason for this misconfiguration.

If the routing protocol is not enabled on an interface, the routing protocol will not advertise route information about the network on that interface. For example, in the following figure, R1 will no longer advertise the route 192.168.1.0/24, to which the PC is connected. R2 will not advertise the route 192.168.2.0/24 to which the server is connected. Therefore, the necessary route information will not be registered in the routing tables of R1 and R2, and communication between the PC and the server will not be possible.

Make sure to properly enable the routing protocol even on the interfaces where only PCs and servers are connected. Then, configure the passive-interface on top of that.

passive-interface configuration and verification commands

passive-interface configuration command

To configure passive-interface, use the following command in the configuration mode of the RIP/OSPF/EIGRP routing protocol.

To make multiple interfaces passive interfaces, configure multiple lines of the passive-interface command. If there are many interfaces to be passive-interface, use the passive-interface default command to make all the interfaces passive-interface first. Then, cancel the passive-interface of the interface that needs to send the routing protocol packets.

passive-interface verification command

To verify that the passive-interface is configured correctly, the show ip protocols command is easy to understand; the middle of the show ip protocols command display will reflect the passive-interface configuration.

OSPF-test#show ip protocols
Routing Protocol is "ospf 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Router ID 1.1.1.1
  Number of areas in this router is 1. 1 normal 0 stub 0 nssa
  Maximum path: 4
  Routing for Networks:
    192.168.0.0 0.0.255.255 area 0
 Reference bandwidth unit is 100 mbps
  Passive Interface(s):
    FastEthernet0/0
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 110)

Summary