Passive interface is a routing feature used in interior gateway protocols only like OSPF, EIGRP, IS-IS, and RIP. Basically, this feature prevents interfaces from sending routing information (update, hellos, etc). An OSPF passive interface stops the router from generating and processing OSPF packets.
The router does not send OSPF hellos, and thus it won’t build up neighbor relationships and ignores received OSPF packets over the passive interface. However, the router still includes the interface data (IP address, subnet mask, cost,…) in its self-originated router LSA. In this way, the subnet attached to the passive interface is reachable, while the router does produce or handle routing packets on that interface. Moreover, multiple vendors like Juniper, Huawei, and Fortinet, are implementing this feature on their devices.
To sum up, OSPF passive interface is a feature that advertises the IP address or IP addresses configured on an OSPF-enabled interface without actively sending OSPF hello and processing received OSPF packets on that.
Why Do We Use a Passive Interface in OSPF?
When you enable OSPF on a particular active IP-enabled interface, the routing protocol starts sending Hello packets over that interface. In the absence of an authentication mechanism, the router can form OSPF adjacencies with any device running OSPF no matter whether it is authorized or not to join the current autonomous system.
This gives a way for hackers to spy on the routing domain and inject false routing information. To circumvent this issue, use the passive-interface command to disable running OSPF software on one or many router interfaces.
Making an interface passive has another benefit, which is reducing CPU cycles consumed by sending unnecessary OSPF Hello packets.
Basically, it is recommended to set an interface as passive when there is no OSPF adjacency that needs to be built up over that interface. For example, a loopback interface or an interface connected to a subset of end hosts. In the case you make a router interface passive, OSPF:
- does not send Hellos over the interface, and thus not forming neighbor relationships.
- ignores received OSPF packets of all types.
- still advertises the interface’s routing data (IP address, subnet mask, subnet IP address, cost, etc). Besides, enabling IP prefix suppression globally on the OSPF process does not affect passive interfaces.
To sum up, OSPF passive interfaces have two advantages: increasing routing protocol security and decreasing CPU load caused by producing and forwarding OSPF Hello packets.
Configuring and Verifying OSPF Passive Interfaces on Cisco IOS and Cisco IOS-XR
Cisco IOS OSPF Passive-interface Command
On Cisco IOS, the passive-interface command allows network engineers to stop generating OSPF Hellos on a particular interface or all interfaces. The command follows this syntax:
passive-interface [default] int-type int-number, where int-type and int-number are the type and number of the interface on which you want to disable OSPF.
Figure 1 – The network topology of an OSPF autonomous system
Suppose we want to set up all loopback interfaces on routers R1 and R2 (Figure 1) as passive interfaces. To achieve this goal, we can configure routers R1 and R2 like the following:
Router R1
R1(config)# router ospf 1 R1(config-router)# passive-interface loopback0
Router R2
R2(config)# router ospf 1 R2(config-router)# passive-interface loopback0 R2(config-router)# passive-interface loopback1
Cisco OSPF Passive-interface Default Command
The default keyword is optional. You may use the passive-interface default command if you need to make passive all current and future active OSPF-enabled interfaces.
For instance, we have a router with 100 interfaces on which we want to consider just a few interfaces as passive. In this case, applying the passive-interface default command will save us lots of time since it will disable OSPF on all interfaces. And, all that will need to do is issue the no passive-interface command on the interfaces connected to OSPF neighboring nodes.
The example below illustrates how to use the passive-interface command with and without the default keyword in order to run OSPF on R3’s interfaces connected to R1 and R2 only.
R3(config)# router ospf 1 R3(config-router)# passive-interface default R3(config-router)# no passive-interface GigabitEthernet 0/1 R3(config-router)# no passive-interface GigabitEthernet 0/2
Configuring OSPF Passive Interfaces on Cisco IOS-XR
Cisco IOS XR includes the passive command in order to manage the passive interface function. The passive command can enable or disable OSPF on all interfaces, per area or per interface. To prevent sending Hellos and ignoring received OSPF packets, use the passive enable command. Otherwise, use the passive disable statement.
In Exhibit 1, we make all interfaces passive. In Exhibit 2, we disable the passive interface feature on all interfaces, except on those in area 0. Finally, in Exhibit 3, we make the Loopback0 interface passive. The commit command is necessary to confirm our configurations.
RP/0/0/CPU0:R4(config)# router ospf 1 RP/0/0/CPU0:R4(config-ospf)# passive enable RP/0/0/CPU0:R4(config-ospf)# commit
Exhibit 1 – Applying the passive interface feature globally on OSPF process 1
RP/0/0/CPU0:R5(config-ospf)# passive disable RP/0/0/CPU0:R5(config-ospf)# area 0 RP/0/0/CPU0:R5(config-ospf-ar)# passive enable RP/0/0/CPU0:R5(config-ospf-ar)# commit
Exhibit 2 – Applying the passive interface feature globally on area 0
RP/0/0/CPU0:R6(config)# router ospf 1 RP/0/0/CPU0:R6(config-ospf)# area 0 RP/0/0/CPU0:R6(config-ospf-ar)# interface Loopback0 RP/0/0/CPU0:R6(config-ospf-ar-if)# passive enable RP/0/0/CPU0:R6(config-ospf-ar-if)# commit
Exhibit 3 – Applying the passive interface feature on interface Loopback0
Configuring Passive Interfaces on Juniper and Fortigate
On Junos OS, to configure an OSPF-enabled interface as a passive interface, use the
set protocols ospf area area-id interface intrfc passive statement, where area-id is the ID of the interface’s OSPF area and intrfc the name of the interface.
john@R1# set protocols ospf area 0 interface lo1.0 passive
On FortiGate, to stop sending hello packets over a particular interface, use the set passive-interface command.
# config router ospf set passive-interface port1
Verifying OSPF Passive Interface on Cisco IOS and Cisco IOS-XR
To verify whether an OSPF-enabled is passive on Cisco IOS, use the show ip ospf interface or show ip protocols command in enable mode. The last show command can display passive loopback interfaces, while the first one does not tell if a loopback interface is passive or not.
Basically, the show ip ospf interface displays OSPF data such as cost, network type, neighbors, adjacencies, timers, and more. Exhibit 4 indicates that R1’s G0/0 interface is passive.
R1# show ip ospf interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.0.10.1/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
No Hellos (Passive interface)
omitted output
Exhibit 4 – OSPF settings of interface GigabitEthernet 0/0
The show ip protocols command displays information about all dynamic routing protocols configured on the router, including OSPF. Additionally, it shows the passive interfaces for each routing protocol (Exhibit 5).
R1# show ip protocols
omitted output
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
GigabitEthernet0/0
Passive Interface(s):
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Loopback0
Exhibit 5 – Displaying OSPF passive interfaces
On Cisco IOS-XR, you can use the show ospf interface command to verify passive interfaces (Exhibits 6). Similar to the show ip ospf interface command on Cisco IOS, the show ospf interface does not tell if a loopback interface is passive or not.
RP/0/0/CPU0:ios# show ospf inter gigabitEthernet 0/0/0/0
Thu Jun 23 13:57:28.184 UTC
GigabitEthernet0/0/0/0 is up, line protocol is up
Internet Address 10.0.14.4/24, Area 0
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State WAITING, Priority 1, MTU 1500, MaxPktSz 1500
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
omitted output
Exhibit 6 – OSPF settings of interface GigabitEthernet 0/0/0/0
OSPF Passive Interface Packet Tracer Lab
In this lab, you learn commands and develop skills concerning passive interfaces in OSPF. Click here to download the Packet Tracer lab file.
Network diagram
Tasks
Task 1: Configure hostname, VLANs, and IP addresses based on the table below. Additionally, configure an 802.1Q trunk link between R1 and SW1.
Device | Interface | IP Address/ Subnet Mask | Default Gateway | VLAN | OSPF Area |
R1 | G0/1.1 | 10.0.1.1/24 | N/A | 1 | Area 0 |
G0/1.2 | 10.0.2.1/24 | N/A | 2 | Area 0 | |
G0/1.3 | 10.0.3.1/24 | N/A | 3 | Area 0 | |
G0/2 | 10.0.12.1/24 | N/A | N/A | Area 0 | |
G0/0 | 10.0.13.1/24 | N/A | N/A | Area 0 | |
Loopback 0 | 10.0.10.1/24 | N/A | N/A | Area 0 | |
Loopback 1 | 10.0.11.1/24 | N/A | N/A | Area 0 | |
R2 | G0/1 | 10.0.12.2/24 | N/A | N/A | Area 0 |
G0/0 | 10.0.23.2/24 | N/A | N/A | Area 0 | |
Loopback 0 | 10.0.20.2/24 | N/A | N/A | Area 0 | |
R3 | G0/1 | 10.0.13.3/24 | N/A | N/A | Area 0 |
G0/2 | 10.0.23.3/24 | N/A | N/A | Area 0 | |
Loopback 0 | 10.0.30.3/24 | N/A | N/A | Area 0 | |
Loopback 1 | 10.0.31.3/24 | N/A | N/A | Area 0 | |
Loopback 2 | 10.0.32.3/24 | N/A | N/A | Area 0 | |
PC1 | F0 | 10.0.1.10/24 | 10.0.1.1 | 1 | N/A |
PC2 | F0 | 10.0.2.10/24 | 10.0.2.1 | 2 | N/A |
PC3 | F0 | 10.0.3.10/24 | 10.0.3.1 | 3 | N/A |
Switch SW1
Switch(config)# hostname SW1 SW1(config)# vlan 2 SW1(config-vlan)# vlan 3 SW1(config-vlan)# SW1(config-vlan)# interface fastethernet 0/3 SW1(config-if)# switchport access vlan 2 SW1(config-if)# SW1(config-if)# interface fastethernet 0/3 SW1(config-if)# switchport access vlan 2 SW1(config-if)# SW1(config-if)# interface gigabitethernet 0/1 SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk
Router R1
Router(config)# hostname R1 R1(config)# interface gigabitethernet 0/0 R1(config-if)# ip address 10.0.13.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface gigabitethernet 0/1 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface gigabitethernet 0/1.1 R1(config-subif)# encapsulation dot1q 1 R1(config-subif)# ip address 10.0.1.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/1.2 R1(config-subif)# encapsulation dot1q 2 R1(config-subif)# ip address 10.0.2.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/1.3 R1(config-subif)# encapsulation dot1q 3 R1(config-subif)# ip address 10.0.3.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/2 R1(config-if)# ip address 10.0.12.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface loopback 0 R1(config-if)# ip address 10.0.10.1 255.255.255.0 R1(config-if)# R1(config-if)# interface loopback 1 R1(config-if)# ip address 10.0.11.1 255.255.255.0 R1(config-if)# R1(config-if)# router ospf 1 R1(config-router)# network 0.0.0.0 255.255.255.255 area 0
Router R2
Router(config)# hostname R2 R2(config)# interface gigabitethernet 0/0 R2(config-if)# ip address 10.0.23.2 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# R2(config-if)# interface gigabitethernet 0/1 R2(config-if)# ip address 10.0.12.2 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# R2(config-if)# interface loopback 0 R2(config-if)# ip address 10.0.20.2 255.255.255.0 R2(config-if)# R2(config-if)# router ospf 1 R2(config-router)# network 0.0.0.0 255.255.255.255 area 0
Router R3
Router(config)# hostname R3 R3(config)# interface gigabitethernet 0/1 R3(config-if)# ip address 10.0.13.3 255.255.255.0 R3(config-if)# no shutdown R3(config-if)# R3(config-if)# interface gigabitethernet 0/2 R3(config-if)# ip address 10.0.23.3 255.255.255.0 R3(config-if)# no shutdown R3(config-if)# R3(config-if)# interface loopback 0 R3(config-if)# ip address 10.0.30.3 255.255.255.0 R3(config-if)# R3(config-if)# interface loopback 1 R3(config-if)# ip address 10.0.31.3 255.255.255.0 R3(config-if)# R3(config-if)# interface loopback 2 R3(config-if)# ip address 10.0.32.3 255.255.255.0 R3(config-if)# R3(config-if)# router ospf 1 R3(config-router)# network 0.0.0.0 255.255.255.255 area 0
PC1
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.1.10, 255.255.255.0, and 10.0.1.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
PC2
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.2.10, 255.255.255.0, and 10.0.2.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
PC3
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.3.10, 255.255.255.0, and 10.0.3.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
Task 2: Disable sending unnecessary OSPF Hellos on the network using the passive-interface command.
Router R1
R1(config)# router ospf 1 R1(config-router)# passive-interface default R1(config-router)# no passive-interface gigabitethernet0/2 R1(config-router)# no passive-interface gigabitethernet0/0
Router R2
R2(config)# router ospf 1 R2(config-router)# passive-interface loopback0
Router R3
R3(config)# router ospf 1 R3(config-router)# passive-interface default R3(config-router)# no passive-interface gigabitethernet0/1 R3(config-router)# no passive-interface gigabitethernet0/2
The show IP protocols command outputs confirm that our solution meets the task’s requirement.
Router R1
R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback0
Loopback1
omitted output
Router R2
R2# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.20.2
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Passive Interface(s):
Loopback0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
Router R3
R3# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.32.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/0
Loopback0
Loopback1
Loopback2
omitted output
Task 3: Remove the Loopback0 from the list of passive interfaces on router R1.
R1(config)# router ospf 1 R1(config-router)# no passive-interface loopback0
As you can see below, the passive interfaces section of the show ip protocol command output does include the loopback 0 interface, meaning OSPF is not preventing Hellos to be sent over that interface.
R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback1
omitted output
Finally, comment below if you have a question about this tutorial. Additionally, if you like this post, share it on social media as that would keep me motivated to post new stuff.
Related Lessons to OSPF Passive Interface
- OSPF
- OSPF Router ID
- OSPF Null Authentication
- OSPF Plain Text Authentication
- OSPF Default Route
- Basic OSPF Configuration Lab for CCNA
- OSPF Configuration
- OSPF Passive Interface
- OSPF Virtual Link
- OSPF Stub Area
- OSPF LSA Types
- OSPF Graceful Restart
- OSPF Totally Stubby Area
- OSPF Reference Bandwidth
- OSPF Cost
- OSPF DR/BDR Election
- OSPF Hello and Dead Interval
- OSPF Metric
- OSPF MD5 Authentication
- OSPF HMAC-SHA Cryptographic Authentication
- OSPF Multi-Area
- OSPF TTL Security Check
- OSPF Graceful Shutdown
- Route Redistribution between OSPF and RIP
- OSPF Network Types
- OSPF Totally NSSA Area
- OSPF NSSA Area
- OSPF Summarization
- OSPF Route Filtering
- OSPF Type 5 LSA Filtering
- OSPF ABR Type 3 LSA Filtering
- OSPF Prefix Suppression
- OSPF Path Selection
- OSPF LSA Throttling
- OSPF SPF Throttling
- OSPF Incremental SPF
- OSPF Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF vs RIP
- OSPF LSA Group Pacing
- OSPF LSA Flood Pacing
- OSPF LSA Retransmission Pacing
- Troubleshooting OSPF Neighbor Adjacency
- Troubleshooting OSPF Route Installation
- Troubleshooting OSPF Route Advertisement
- OSPF Stub Router
Conclusion
I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.