Home Network Layer OSPF Version 2 OSPF Passive Interface: How to Set it Up on Cisco and Juniper

OSPF Passive Interface: How to Set it Up on Cisco and Juniper

Passive interface is a routing feature used in interior gateway protocols only like OSPF, EIGRP, IS-IS, and RIP. Basically, this feature prevents interfaces from sending routing information (update, hellos, etc). An OSPF passive interface stops the router from generating and processing OSPF packets.

The router does not send OSPF hellos, and thus it won’t build up neighbor relationships and ignores received OSPF packets over the passive interface. However, the router still includes the interface data (IP address, subnet mask, cost,…) in its self-originated router LSA. In this way, the subnet attached to the passive interface is reachable, while the router does produce or handle routing packets on that interface. Moreover, multiple vendors like Juniper, Huawei, and Fortinet, are implementing this feature on their devices.

To sum up, OSPF passive interface is a feature that advertises the IP address or IP addresses configured on an OSPF-enabled interface without actively sending OSPF hello and processing received OSPF packets on that.

Why Do We Use a Passive Interface in OSPF?

When you enable OSPF on a particular active IP-enabled interface, the routing protocol starts sending Hello packets over that interface. In the absence of an authentication mechanism, the router can form OSPF adjacencies with any device running OSPF no matter whether it is authorized or not to join the current autonomous system.

This gives a way for hackers to spy on the routing domain and inject false routing information. To circumvent this issue, use the passive-interface command to disable running OSPF software on one or many router interfaces.

Making an interface passive has another benefit, which is reducing CPU cycles consumed by sending unnecessary OSPF Hello packets.

Basically, it is recommended to set an interface as passive when there is no OSPF adjacency that needs to be built up over that interface. For example, a loopback interface or an interface connected to a subset of end hosts. In the case you make a router interface passive, OSPF:

  • does not send Hellos over the interface, and thus not forming neighbor relationships.
  • ignores received OSPF packets of all types.
  • still advertises the interface’s routing data (IP address, subnet mask, subnet IP address, cost, etc). Besides, enabling IP prefix suppression globally on the OSPF process does not affect passive interfaces.

To sum up, OSPF passive interfaces have two advantages: increasing routing protocol security and decreasing CPU load caused by producing and forwarding OSPF Hello packets.

Configuring and Verifying OSPF Passive Interfaces on Cisco IOS and Cisco IOS-XR

Cisco IOS OSPF Passive-interface Command

On Cisco IOS, the passive-interface command allows network engineers to stop generating OSPF Hellos on a particular interface or all interfaces. The command follows this syntax:
passive-interface [default] int-type int-number, where int-type and int-number are the type and number of the interface on which you want to disable OSPF.

 

Figure 1 – The network topology of an OSPF autonomous system

Suppose we want to set up all loopback interfaces on routers R1 and R2 (Figure 1) as passive interfaces. To achieve this goal, we can configure routers R1 and R2 like the following:

Router R1

 R1(config)# router ospf 1
 R1(config-router)# passive-interface loopback0

Router R2

 R2(config)# router ospf 1
 R2(config-router)# passive-interface loopback0
 R2(config-router)# passive-interface loopback1

Cisco OSPF Passive-interface Default Command

The default keyword is optional. You may use the passive-interface default command if you need to make passive all current and future active OSPF-enabled interfaces.

For instance, we have a router with 100 interfaces on which we want to consider just a few interfaces as passive. In this case, applying the passive-interface default command will save us lots of time since it will disable OSPF on all interfaces. And, all that will need to do is issue the no passive-interface command on the interfaces connected to OSPF neighboring nodes.

The example below illustrates how to use the passive-interface command with and without the default keyword in order to run OSPF on R3’s interfaces connected to R1 and R2 only.

R3(config)# router ospf 1
R3(config-router)# passive-interface default
R3(config-router)# no passive-interface GigabitEthernet 0/1
R3(config-router)# no passive-interface GigabitEthernet 0/2

Configuring OSPF Passive Interfaces on Cisco IOS-XR

Cisco IOS XR includes the passive command in order to manage the passive interface function. The passive command can enable or disable OSPF on all interfaces, per area or per interface. To prevent sending Hellos and ignoring received OSPF packets, use the passive enable command. Otherwise, use the passive disable statement.

In Exhibit 1, we make all interfaces passive. In Exhibit 2, we disable the passive interface feature on all interfaces, except on those in area 0. Finally, in Exhibit 3, we make the Loopback0 interface passive. The commit command is necessary to confirm our configurations.

RP/0/0/CPU0:R4(config)# router ospf 1
RP/0/0/CPU0:R4(config-ospf)# passive enable
RP/0/0/CPU0:R4(config-ospf)# commit

Exhibit 1 – Applying the passive interface feature globally on OSPF process 1

RP/0/0/CPU0:R5(config-ospf)# passive disable
RP/0/0/CPU0:R5(config-ospf)# area 0
RP/0/0/CPU0:R5(config-ospf-ar)# passive enable
RP/0/0/CPU0:R5(config-ospf-ar)# commit

Exhibit 2 – Applying the passive interface feature globally on area 0

RP/0/0/CPU0:R6(config)# router ospf 1
RP/0/0/CPU0:R6(config-ospf)# area 0
RP/0/0/CPU0:R6(config-ospf-ar)# interface Loopback0
RP/0/0/CPU0:R6(config-ospf-ar-if)# passive enable
RP/0/0/CPU0:R6(config-ospf-ar-if)# commit

Exhibit 3 – Applying the passive interface feature on interface Loopback0

Configuring Passive Interfaces on Juniper and Fortigate

On Junos OS, to configure an OSPF-enabled interface as a passive interface, use the
set protocols ospf area area-id interface intrfc passive statement, where area-id is the ID of the interface’s OSPF area and intrfc the name of the interface.

john@R1#  set protocols ospf area 0 interface lo1.0 passive

On FortiGate, to stop sending hello packets over a particular interface, use the set passive-interface command.

#  config router ospf
        set passive-interface port1

Verifying OSPF Passive Interface on Cisco IOS and Cisco IOS-XR

To verify whether an OSPF-enabled is passive on Cisco IOS, use the show ip ospf interface or show ip protocols command in enable mode. The last show command can display passive loopback interfaces, while the first one does not tell if a loopback interface is passive or not.

Basically, the show ip ospf interface displays OSPF data such as cost, network type, neighbors, adjacencies, timers, and more. Exhibit 4 indicates that R1’s G0/0 interface is passive.

R1# show ip ospf interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.0.10.1/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Topology-MTID    Cost    Disabled    Shutdown      Topology Name
0           1         no          no            Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
No Hellos (Passive interface) 


omitted output

Exhibit 4 – OSPF settings of interface GigabitEthernet 0/0

The show ip protocols command displays information about all dynamic routing protocols configured on the router, including OSPF. Additionally, it shows the passive interfaces for each routing protocol (Exhibit 5).

R1# show ip protocols
omitted output
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
GigabitEthernet0/0
Passive Interface(s):
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Loopback0

Exhibit 5 – Displaying OSPF passive interfaces

On Cisco IOS-XR, you can use the show ospf interface command to verify passive interfaces (Exhibits 6). Similar to the show ip ospf interface command on Cisco IOS, the show ospf interface does not tell if a loopback interface is passive or not.

RP/0/0/CPU0:ios# show ospf inter gigabitEthernet 0/0/0/0
Thu Jun 23 13:57:28.184 UTC
GigabitEthernet0/0/0/0 is up, line protocol is up
Internet Address 10.0.14.4/24, Area 0
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State WAITING, Priority 1, MTU 1500, MaxPktSz 1500
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)


omitted output

Exhibit 6 – OSPF settings of interface GigabitEthernet 0/0/0/0

OSPF Passive Interface Packet Tracer Lab

In this lab, you learn commands and develop skills concerning passive interfaces in OSPF. Click here to download the Packet Tracer lab file.

Network diagram

Tasks

Task 1: Configure hostname, VLANs, and IP addresses based on the table below. Additionally, configure an 802.1Q trunk link between R1 and SW1.

Device Interface IP Address/ Subnet Mask Default Gateway VLAN OSPF Area
R1 G0/1.1 10.0.1.1/24 N/A 1 Area 0
G0/1.2 10.0.2.1/24 N/A 2 Area 0
G0/1.3 10.0.3.1/24 N/A 3 Area 0
G0/2 10.0.12.1/24 N/A N/A Area 0
G0/0 10.0.13.1/24 N/A N/A Area 0
Loopback 0 10.0.10.1/24 N/A N/A Area 0
Loopback 1 10.0.11.1/24 N/A N/A Area 0
R2 G0/1 10.0.12.2/24 N/A N/A Area 0
G0/0 10.0.23.2/24 N/A N/A Area 0
Loopback 0 10.0.20.2/24 N/A N/A Area 0
R3 G0/1 10.0.13.3/24 N/A N/A Area 0
G0/2 10.0.23.3/24 N/A N/A Area 0
Loopback 0 10.0.30.3/24 N/A N/A Area 0
Loopback 1 10.0.31.3/24 N/A N/A Area 0
Loopback 2 10.0.32.3/24 N/A N/A Area 0
PC1 F0 10.0.1.10/24 10.0.1.1 1  N/A
PC2 F0 10.0.2.10/24 10.0.2.1 2  N/A
PC3 F0 10.0.3.10/24 10.0.3.1 3  N/A

 

Switch SW1

Switch(config)# hostname SW1
SW1(config)# vlan 2
SW1(config-vlan)# vlan 3
SW1(config-vlan)#
SW1(config-vlan)# interface fastethernet 0/3
SW1(config-if)# switchport access vlan 2
SW1(config-if)#
SW1(config-if)# interface fastethernet 0/3
SW1(config-if)# switchport access vlan 2
SW1(config-if)#
SW1(config-if)# interface gigabitethernet 0/1
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk

Router R1

Router(config)# hostname R1
R1(config)# interface gigabitethernet 0/0
R1(config-if)# ip address 10.0.13.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#
R1(config-if)# interface gigabitethernet 0/1
R1(config-if)# no shutdown
R1(config-if)#
R1(config-if)# interface gigabitethernet 0/1.1
R1(config-subif)# encapsulation dot1q 1
R1(config-subif)# ip address 10.0.1.1 255.255.255.0
R1(config-subif)#
R1(config-subif)# interface gigabitethernet 0/1.2
R1(config-subif)# encapsulation dot1q 2
R1(config-subif)# ip address 10.0.2.1 255.255.255.0
R1(config-subif)#
R1(config-subif)# interface gigabitethernet 0/1.3
R1(config-subif)# encapsulation dot1q 3
R1(config-subif)# ip address 10.0.3.1 255.255.255.0
R1(config-subif)#
R1(config-subif)# interface gigabitethernet 0/2
R1(config-if)# ip address 10.0.12.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)#
R1(config-if)# interface loopback 0
R1(config-if)# ip address 10.0.10.1 255.255.255.0
R1(config-if)#
R1(config-if)# interface loopback 1
R1(config-if)# ip address 10.0.11.1 255.255.255.0
R1(config-if)#
R1(config-if)# router ospf 1
R1(config-router)# network 0.0.0.0 255.255.255.255 area 0

Router R2

Router(config)# hostname R2
R2(config)# interface gigabitethernet 0/0
R2(config-if)# ip address 10.0.23.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)#
R2(config-if)# interface gigabitethernet 0/1
R2(config-if)# ip address 10.0.12.2 255.255.255.0
R2(config-if)# no shutdown
R2(config-if)#
R2(config-if)# interface loopback 0
R2(config-if)# ip address 10.0.20.2 255.255.255.0
R2(config-if)#
R2(config-if)# router ospf 1
R2(config-router)# network 0.0.0.0 255.255.255.255 area 0

Router R3

Router(config)# hostname R3
R3(config)# interface gigabitethernet 0/1
R3(config-if)# ip address 10.0.13.3 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)#
R3(config-if)# interface gigabitethernet 0/2
R3(config-if)# ip address 10.0.23.3 255.255.255.0
R3(config-if)# no shutdown
R3(config-if)#
R3(config-if)# interface loopback 0
R3(config-if)# ip address 10.0.30.3 255.255.255.0
R3(config-if)#
R3(config-if)# interface loopback 1
R3(config-if)# ip address 10.0.31.3 255.255.255.0
R3(config-if)#
R3(config-if)# interface loopback 2
R3(config-if)# ip address 10.0.32.3 255.255.255.0
R3(config-if)#
R3(config-if)# router ospf 1
R3(config-router)# network 0.0.0.0 255.255.255.255 area 0

PC1
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.1.10, 255.255.255.0, and 10.0.1.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.

PC2
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.2.10, 255.255.255.0, and 10.0.2.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.

PC3
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.3.10, 255.255.255.0, and 10.0.3.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.

Task 2: Disable sending unnecessary OSPF Hellos on the network using the passive-interface command.

Router R1

R1(config)# router ospf 1
R1(config-router)# passive-interface default
R1(config-router)# no passive-interface gigabitethernet0/2
R1(config-router)# no passive-interface gigabitethernet0/0

Router R2

R2(config)# router ospf 1
R2(config-router)# passive-interface loopback0

Router R3

R3(config)# router ospf 1
R3(config-router)# passive-interface default
R3(config-router)# no passive-interface gigabitethernet0/1
R3(config-router)# no passive-interface gigabitethernet0/2

The show IP protocols command outputs confirm that our solution meets the task’s requirement.

Router R1

R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback0
Loopback1

omitted output

Router R2

R2# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.20.2
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Passive Interface(s):
Loopback0
Routing Information Sources:
Gateway         Distance      Last Update
Distance: (default is 110)

Router R3

R3# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.32.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/0
Loopback0
Loopback1
Loopback2

omitted output

Task 3: Remove the Loopback0 from the list of passive interfaces on router R1.

R1(config)# router ospf 1
R1(config-router)# no passive-interface loopback0

As you can see below, the passive interfaces section of the show ip protocol command output does include the loopback 0 interface, meaning OSPF is not preventing Hellos to be sent over that interface.

R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback1


omitted output

Finally, comment below if you have a question about this tutorial. Additionally, if you like this post, share it on social media as that would keep me motivated to post new stuff.

Related Lessons to OSPF Passive Interface

Conclusion

I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.

Mohamed Ouamer is a computer science teacher and a self-published author. He taught networking technologies and programming for more than fifteen years. While he loves to share knowledge and write, Mohamed's best passions include spending time with his family, visiting his parents, and learning new things.

Exit mobile version