OSPF Passive Interface

ReneMolenaar · December 29, 2016, 6:37pm

This topic is to discuss the following lesson:

aujla3 · September 10, 2015, 3:37am

hay rene, is there any way to make the default as passive and yet keep the interface that already has a neighbour as non passive? in other words is there a way to change the default on the router to passive on all interfaces except the onces that already have neighbours, without dropping the adj.

Thanks,

ReneMolenaar · September 11, 2015, 4:56pm

Hi Kam,

I’m afraid not, if you use the global passive command then it will kill any OSPF neighbor adjacencies that you have…unless you do “no passive interface” for these interfaces.

Rene

kamawal0008 · January 7, 2016, 2:25am

Hi Rene!

If we type passive-interface default then it should block OSPF packets for both interfaces? and we only want it for fa0/1, not for fa0/0. In other words how the router would know which interface should stop OSPF packets?

ReneMolenaar · January 7, 2016, 12:44pm

Hi Adil,

If you use passive-interface default then all interfaces will be passive. If you want to disable it for fa0/0 then you can use the no passive-interface fa0/0 command under the OSPF process.

Rene

ivoaleksiev · February 9, 2016, 10:46pm

Hi Rene!
You mention that passive-interface command is preventing an interface from sending hello packets.
I’d like to know technically does it prevent interface from RECEIVING hello packets as well?
Also, I read in an official Cisco literature that it is recommended ISP facing interfaces to be passive for security.
However I don’t understand, if this is the case how is my router going to receive routing to external destinations using OSPF if it doesn’t become neighbor
with the next hop.
Thank you in advance!

ReneMolenaar · February 10, 2016, 1:30pm

Hi Ivaylo,

It won’t prevent us from receiving the hello packets but I believe it does stop processing them. Here’s a little experiment I did with two routers, directly connected to each other:

R1#debug ip ospf hello 
OSPF hello debugging is on

Now we can see we are sending and receiving hello packets:

R1#
OSPF-1 HELLO Gi0/1: Send hello to 224.0.0.5 area 0 from 192.168.12.1
OSPF-1 HELLO Gi0/1: Rcv hello from 2.2.2.2 area 0 192.168.12.2

Let’s make the interface passive:

R1(config)#router ospf 1
R1(config-router)#passive-interface GigabitEthernet 0/1

At this moment my debug is not producing any output anymore. Basically OSPF has been disabled on the interface. We are still receiving packets though:

R1#debug ip packet 
IP packet debugging is on

R1#
IP: s=192.168.12.2 (GigabitEthernet0/1), d=224.0.0.5, len 80, rcvd 0
IP: s=192.168.12.2 (GigabitEthernet0/1), d=224.0.0.5, len 80, input feature, packet consumed, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Above you can see that we are receiving OSPF packets from 192.168.12.2.

About your other question:

OSPF as an IGP (Interior Gateway Protocol) is typically used on our “own” networks. If you have a connection to your ISP for Internet access then all you need is a default route to them…we don’t run OSPF with the ISP.

Hope this helps!

Rene

agatyinta · May 16, 2016, 11:36am

Hi Rene,

Not clear on this statement. Can you elaborate please:

It works similar for EIGRP but RIP works a bit different. It doesn’t create neighbor adjacency so it just suppresses route advertisements on the passive interface.

Thank you

Ahmad

ReneMolenaar · May 16, 2016, 4:16pm

Hi Ahmad,

OSPF and EIGRP have one thing in common, they both establish a neighbor adjacency before they advertise any routing information. RIP doesn’t establish a neighbor adjacency, it just advertises routing updates.

When you use the passive interface command for RIP then it stops advertising RIP routing updates on that interface. When you use it for OSPF or EIGRP, they won’t send any hello packets anymore so that it becomes impossible to establish a neighbor adjacency on the passive interface.

Rene

monirmorshed · November 1, 2017, 10:52pm

Hi Rene
I understand that passive interface prevents building OSPF neighbor-ship.
But does passive interfaces still advertise the OSPF routes to other end?

lagapidis · November 6, 2017, 6:16am

Hello Monir

When you indicate that an interface is passive, it means that any and all OSPF related messages are never sent out that interface. The connected network does participate in the OSPF process, that is, the connected subnet is advertised to other OSPF routers, but no hellos, LSAs or any other OSPF related packets are sent out that interface.

The passive interface is configured on interfaces where you KNOW there is no OSPF router connected to it to receive any kind of OSPF information.

I hope this has been helpful!

Laz

bil-khan · December 22, 2017, 4:43pm

Hello Rene,

I have a question for passive interface. If one interface having many sub interfaces for example fa0/0.1, fa0/0.2, fa0/0.3 and so on and we use the command passive interface fa0/0 under OSPF, this makes all sub interfaces passive or no ?

ReneMolenaar · January 1, 2018, 4:26pm

Hi Bilal,

Each (sub) interface is a separate interface. If you add the passive interface command to the physical interface then this will not affect your sub-interfaces.

coolsumus · January 24, 2018, 8:24am

Can you explain this statement - “All interfaces that have a network that falls within the range of the network command will be advertised in OSPF”.
On R1, Fa 0/1 and Fa 0/0 are on a different subnet. Then how a network command on Fa 0/0 will send hello packets on Fa 0/1?

lagapidis · January 28, 2018, 7:54am

Hello Sumu

When a router is enabled with OSPF, it sends hello packets outside ALL of its network interfaces by default regardless of which subnets are participating in OSPF, regardless of which subnets are included in the network command.

The statement

“All interfaces that have a network that falls within the range of the network command will be advertised in OSPF”

means that the advertisements that are sent will include information about these networks. This means that by default, hello packets will be sent on all interfaces including Fa0/0 and Fa0/1 and will contain only information about networks configured with the network command. This is why the passive configuration must be employed on the Fa0/1, because hellos will be sent from there even though there is no router connected to this port.

I hope this has been helpful!

Laz

joseph.dong · October 28, 2019, 5:27pm

Hi Rene,

For the network shown in the first image, would only issuing the network192.168.12.0 0.0.0.255 area 0 command and also redistributing connected interfaces be a more or less efficient method than issuing a passive-interface on the interface connecting to the switch?

Thanks for the excellent content!

lagapidis · October 29, 2019, 9:04am

Hello Josep

You could configure the routers like you describe, and the result would be the same for this particular scenario. The difference in efficiency would be non-existent.

The problem you may encounter with redistribution is that you may want to redistribute some connected routes and not others and this cannot be done selectively by redistributing connected routes. The simplest configuration would be to use passive interfaces and to choose which networks to advertise using the network command.

I hope this has been helpful!

Laz

olloczky · February 23, 2020, 3:19pm

Hello All, Rene,

I miss the important information that despite turning an interface into passive interface it will still advertise its connected subnet.

Cheers,
Daniel

lagapidis · February 24, 2020, 10:54am

Hello Daniel

Yes, you are correct. A passive interface will still have it’s connected network advertised via OSPF (if it is included in the subnets of the network command) but will simply stop sending hello and other OSPF packets over that interface.

I hope this has been helpful!

Laz

narad · July 7, 2021, 1:53pm

can we send unicast hello on passive interface if we want in RIP and EIGRP and OSPF and
We can establish the neighbor relationship and can share the route each other as well ??