Passive interface is a routing feature used in interior gateway protocols only like OSPF, EIGRP, IS-IS, and RIP. Basically, this feature prevents interfaces from sending routing information (update, hellos, etc). An OSPF passive interface stops the router from generating and processing OSPF packets.
The router does not send OSPF hellos, and thus it won’t build up neighbor relationships and ignores received OSPF packets over the passive interface. However, the router still includes the interface data (IP address, subnet mask, cost,…) in its self-originated router LSA. In this way, the subnet attached to the passive interface is reachable, while the router does produce or handle routing packets on that interface. Moreover, multiple vendors like Juniper, Huawei, and Fortinet, are implementing this feature on their devices.
To sum up, OSPF passive interface is a feature that advertises the IP address or IP addresses configured on an OSPF-enabled interface without actively sending OSPF hello and processing received OSPF packets on that.
Why Do We Use a Passive Interface in OSPF?
When you enable OSPF on a particular active IP-enabled interface, the routing protocol starts sending Hello packets over that interface. In the absence of an authentication mechanism, the router can form OSPF adjacencies with any device running OSPF no matter whether it is authorized or not to join the current autonomous system.
This gives a way for hackers to spy on the routing domain and inject false routing information. To circumvent this issue, use the passive-interface command to disable running OSPF software on one or many router interfaces.
Making an interface passive has another benefit, which is reducing CPU cycles consumed by sending unnecessary OSPF Hello packets.
Basically, it is recommended to set an interface as passive when there is no OSPF adjacency that needs to be built up over that interface. For example, a loopback interface or an interface connected to a subset of end hosts. In the case you make a router interface passive, OSPF:
- does not send Hellos over the interface, and thus not forming neighbor relationships.
- ignores received OSPF packets of all types.
- still advertises the interface’s routing data (IP address, subnet mask, subnet IP address, cost, etc). Besides, enabling IP prefix suppression globally on the OSPF process does not affect passive interfaces.
To sum up, OSPF passive interfaces have two advantages: increasing routing protocol security and decreasing CPU load caused by producing and forwarding OSPF Hello packets.
Configuring and Verifying OSPF Passive Interfaces on Cisco IOS and Cisco IOS-XR
Cisco IOS OSPF Passive-interface Command
On Cisco IOS, the passive-interface command allows network engineers to stop generating OSPF Hellos on a particular interface or all interfaces. The command follows this syntax:
passive-interface [default] int-type int-number, where int-type and int-number are the type and number of the interface on which you want to disable OSPF.
Figure 1 – The network topology of an OSPF autonomous system
Suppose we want to set up all loopback interfaces on routers R1 and R2 (Figure 1) as passive interfaces. To achieve this goal, we can configure routers R1 and R2 like the following:
Router R1
R1(config)# router ospf 1 R1(config-router)# passive-interface loopback0
Router R2
R2(config)# router ospf 1 R2(config-router)# passive-interface loopback0 R2(config-router)# passive-interface loopback1
Cisco OSPF Passive-interface Default Command
The default keyword is optional. You may use the passive-interface default command if you need to make passive all current and future active OSPF-enabled interfaces.
For instance, we have a router with 100 interfaces on which we want to consider just a few interfaces as passive. In this case, applying the passive-interface default command will save us lots of time since it will disable OSPF on all interfaces. And, all that will need to do is issue the no passive-interface command on the interfaces connected to OSPF neighboring nodes.
The example below illustrates how to use the passive-interface command with and without the default keyword in order to run OSPF on R3’s interfaces connected to R1 and R2 only.
R3(config)# router ospf 1 R3(config-router)# passive-interface default R3(config-router)# no passive-interface GigabitEthernet 0/1 R3(config-router)# no passive-interface GigabitEthernet 0/2
Configuring OSPF Passive Interfaces on Cisco IOS-XR
Cisco IOS XR includes the passive command in order to manage the passive interface function. The passive command can enable or disable OSPF on all interfaces, per area or per interface. To prevent sending Hellos and ignoring received OSPF packets, use the passive enable command. Otherwise, use the passive disable statement.
In Exhibit 1, we make all interfaces passive. In Exhibit 2, we disable the passive interface feature on all interfaces, except on those in area 0. Finally, in Exhibit 3, we make the Loopback0 interface passive. The commit command is necessary to confirm our configurations.
RP/0/0/CPU0:R4(config)# router ospf 1 RP/0/0/CPU0:R4(config-ospf)# passive enable RP/0/0/CPU0:R4(config-ospf)# commit
Exhibit 1 – Applying the passive interface feature globally on OSPF process 1
RP/0/0/CPU0:R5(config-ospf)# passive disable RP/0/0/CPU0:R5(config-ospf)# area 0 RP/0/0/CPU0:R5(config-ospf-ar)# passive enable RP/0/0/CPU0:R5(config-ospf-ar)# commit
Exhibit 2 – Applying the passive interface feature globally on area 0
RP/0/0/CPU0:R6(config)# router ospf 1 RP/0/0/CPU0:R6(config-ospf)# area 0 RP/0/0/CPU0:R6(config-ospf-ar)# interface Loopback0 RP/0/0/CPU0:R6(config-ospf-ar-if)# passive enable RP/0/0/CPU0:R6(config-ospf-ar-if)# commit
Exhibit 3 – Applying the passive interface feature on interface Loopback0
Configuring Passive Interfaces on Juniper and Fortigate
On Junos OS, to configure an OSPF-enabled interface as a passive interface, use the
set protocols ospf area area-id interface intrfc passive statement, where area-id is the ID of the interface’s OSPF area and intrfc the name of the interface.
john@R1# set protocols ospf area 0 interface lo1.0 passive
On FortiGate, to stop sending hello packets over a particular interface, use the set passive-interface command.
# config router ospf
set passive-interface port1
Verifying OSPF Passive Interface on Cisco IOS and Cisco IOS-XR
To verify whether an OSPF-enabled is passive on Cisco IOS, use the show ip ospf interface or show ip protocols command in enable mode. The last show command can display passive loopback interfaces, while the first one does not tell if a loopback interface is passive or not.
Basically, the show ip ospf interface displays OSPF data such as cost, network type, neighbors, adjacencies, timers, and more. Exhibit 4 indicates that R1’s G0/0 interface is passive.
R1# show ip ospf interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet Address 10.0.10.1/24, Area 0, Attached via Interface Enable
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
No Hellos (Passive interface)
omitted output
Exhibit 4 – OSPF settings of interface GigabitEthernet 0/0
The show ip protocols command displays information about all dynamic routing protocols configured on the router, including OSPF. Additionally, it shows the passive interfaces for each routing protocol (Exhibit 5).
R1# show ip protocols
omitted output
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Routing on Interfaces Configured Explicitly (Area 0):
GigabitEthernet0/0
Passive Interface(s):
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
Loopback0
Exhibit 5 – Displaying OSPF passive interfaces
On Cisco IOS-XR, you can use the show ospf interface command to verify passive interfaces (Exhibits 6). Similar to the show ip ospf interface command on Cisco IOS, the show ospf interface does not tell if a loopback interface is passive or not.
RP/0/0/CPU0:ios# show ospf inter gigabitEthernet 0/0/0/0
Thu Jun 23 13:57:28.184 UTC
GigabitEthernet0/0/0/0 is up, line protocol is up
Internet Address 10.0.14.4/24, Area 0
Process ID 1, Router ID 10.0.0.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State WAITING, Priority 1, MTU 1500, MaxPktSz 1500
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
omitted output
Exhibit 6 – OSPF settings of interface GigabitEthernet 0/0/0/0
OSPF Passive Interface Packet Tracer Lab
In this lab, you learn commands and develop skills concerning passive interfaces in OSPF. Click here to download the Packet Tracer lab file.
Network diagram
Tasks
Task 1: Configure hostname, VLANs, and IP addresses based on the table below. Additionally, configure an 802.1Q trunk link between R1 and SW1.
| Device | Interface | IP Address/ Subnet Mask | Default Gateway | VLAN | OSPF Area |
| R1 | G0/1.1 | 10.0.1.1/24 | N/A | 1 | Area 0 |
| G0/1.2 | 10.0.2.1/24 | N/A | 2 | Area 0 | |
| G0/1.3 | 10.0.3.1/24 | N/A | 3 | Area 0 | |
| G0/2 | 10.0.12.1/24 | N/A | N/A | Area 0 | |
| G0/0 | 10.0.13.1/24 | N/A | N/A | Area 0 | |
| Loopback 0 | 10.0.10.1/24 | N/A | N/A | Area 0 | |
| Loopback 1 | 10.0.11.1/24 | N/A | N/A | Area 0 | |
| R2 | G0/1 | 10.0.12.2/24 | N/A | N/A | Area 0 |
| G0/0 | 10.0.23.2/24 | N/A | N/A | Area 0 | |
| Loopback 0 | 10.0.20.2/24 | N/A | N/A | Area 0 | |
| R3 | G0/1 | 10.0.13.3/24 | N/A | N/A | Area 0 |
| G0/2 | 10.0.23.3/24 | N/A | N/A | Area 0 | |
| Loopback 0 | 10.0.30.3/24 | N/A | N/A | Area 0 | |
| Loopback 1 | 10.0.31.3/24 | N/A | N/A | Area 0 | |
| Loopback 2 | 10.0.32.3/24 | N/A | N/A | Area 0 | |
| PC1 | F0 | 10.0.1.10/24 | 10.0.1.1 | 1 | N/A |
| PC2 | F0 | 10.0.2.10/24 | 10.0.2.1 | 2 | N/A |
| PC3 | F0 | 10.0.3.10/24 | 10.0.3.1 | 3 | N/A |
Switch SW1
Switch(config)# hostname SW1 SW1(config)# vlan 2 SW1(config-vlan)# vlan 3 SW1(config-vlan)# SW1(config-vlan)# interface fastethernet 0/3 SW1(config-if)# switchport access vlan 2 SW1(config-if)# SW1(config-if)# interface fastethernet 0/3 SW1(config-if)# switchport access vlan 2 SW1(config-if)# SW1(config-if)# interface gigabitethernet 0/1 SW1(config-if)# switchport trunk encapsulation dot1q SW1(config-if)# switchport mode trunk
Router R1
Router(config)# hostname R1 R1(config)# interface gigabitethernet 0/0 R1(config-if)# ip address 10.0.13.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface gigabitethernet 0/1 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface gigabitethernet 0/1.1 R1(config-subif)# encapsulation dot1q 1 R1(config-subif)# ip address 10.0.1.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/1.2 R1(config-subif)# encapsulation dot1q 2 R1(config-subif)# ip address 10.0.2.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/1.3 R1(config-subif)# encapsulation dot1q 3 R1(config-subif)# ip address 10.0.3.1 255.255.255.0 R1(config-subif)# R1(config-subif)# interface gigabitethernet 0/2 R1(config-if)# ip address 10.0.12.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# R1(config-if)# interface loopback 0 R1(config-if)# ip address 10.0.10.1 255.255.255.0 R1(config-if)# R1(config-if)# interface loopback 1 R1(config-if)# ip address 10.0.11.1 255.255.255.0 R1(config-if)# R1(config-if)# router ospf 1 R1(config-router)# network 0.0.0.0 255.255.255.255 area 0
Router R2
Router(config)# hostname R2 R2(config)# interface gigabitethernet 0/0 R2(config-if)# ip address 10.0.23.2 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# R2(config-if)# interface gigabitethernet 0/1 R2(config-if)# ip address 10.0.12.2 255.255.255.0 R2(config-if)# no shutdown R2(config-if)# R2(config-if)# interface loopback 0 R2(config-if)# ip address 10.0.20.2 255.255.255.0 R2(config-if)# R2(config-if)# router ospf 1 R2(config-router)# network 0.0.0.0 255.255.255.255 area 0
Router R3
Router(config)# hostname R3 R3(config)# interface gigabitethernet 0/1 R3(config-if)# ip address 10.0.13.3 255.255.255.0 R3(config-if)# no shutdown R3(config-if)# R3(config-if)# interface gigabitethernet 0/2 R3(config-if)# ip address 10.0.23.3 255.255.255.0 R3(config-if)# no shutdown R3(config-if)# R3(config-if)# interface loopback 0 R3(config-if)# ip address 10.0.30.3 255.255.255.0 R3(config-if)# R3(config-if)# interface loopback 1 R3(config-if)# ip address 10.0.31.3 255.255.255.0 R3(config-if)# R3(config-if)# interface loopback 2 R3(config-if)# ip address 10.0.32.3 255.255.255.0 R3(config-if)# R3(config-if)# router ospf 1 R3(config-router)# network 0.0.0.0 255.255.255.255 area 0
PC1
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.1.10, 255.255.255.0, and 10.0.1.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
PC2
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.2.10, 255.255.255.0, and 10.0.2.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
PC3
Click on the icon of PC1, click Desktop, open the IP Configuration window, select the Static option, and then type 10.0.3.10, 255.255.255.0, and 10.0.3.1 in the IP address, Subnet Mask, and Default Gateway text boxes, respectively.
Task 2: Disable sending unnecessary OSPF Hellos on the network using the passive-interface command.
Router R1
R1(config)# router ospf 1 R1(config-router)# passive-interface default R1(config-router)# no passive-interface gigabitethernet0/2 R1(config-router)# no passive-interface gigabitethernet0/0
Router R2
R2(config)# router ospf 1 R2(config-router)# passive-interface loopback0
Router R3
R3(config)# router ospf 1 R3(config-router)# passive-interface default R3(config-router)# no passive-interface gigabitethernet0/1 R3(config-router)# no passive-interface gigabitethernet0/2
The show IP protocols command outputs confirm that our solution meets the task’s requirement.
Router R1
R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback0
Loopback1
omitted output
Router R2
R2# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.20.2
Number of areas in this router is 0. 0 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
Passive Interface(s):
Loopback0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
Router R3
R3# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.32.3
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/0
Loopback0
Loopback1
Loopback2
omitted output
Task 3: Remove the Loopback0 from the list of passive interfaces on router R1.
R1(config)# router ospf 1 R1(config-router)# no passive-interface loopback0
As you can see below, the passive interfaces section of the show ip protocol command output does include the loopback 0 interface, meaning OSPF is not preventing Hellos to be sent over that interface.
R1# show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.11.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
0.0.0.0 255.255.255.255 area 0
Passive Interface(s):
Vlan1
GigabitEthernet0/1
GigabitEthernet0/1.1
GigabitEthernet0/1.2
GigabitEthernet0/1.3
Loopback1
omitted output
Finally, comment below if you have a question about this tutorial. Additionally, if you like this post, share it on social media as that would keep me motivated to post new stuff.
Related Articles
- Open Shortest Path First (OSPF) Explained: The Ultimate Guide for CCNA
- OSPF Router ID: Format, Selection Process, Purpose & Configuration
- OSPF Null Authentication: Configuration & Verification
- OSPF Clear/Plain Text Authentication: Definition and Configuration Example
- OSPF Default Route Explained: Cost, Metric Type and More
- Basic OSPF Configuration Lab for CCNA
- OSPF Configuration: from Basic Stuff to Advanced One
- OSPF Virtual Link Explained + Configuration Example on Cisco IOS
- OSPF Stub Area: Definition, Operation and Configuration
- OSPF LSA Types Tutorial: 6 Types Explained with Examples
- OSPF Graceful Restart: Operation & Configuration on Cisco IOS
- OSPF Totally Stubby Area: Operation and Configuration
- OSPF Reference Bandwidth: Definition and Configuration
- OSPF Cost: How OSPF Cost is Calculated and Configured?
- OSPF DR/BDR Election: Process, Configuration, and Tuning
- OSPF Hello and Dead Interval: Operation and Configuration on Cisco IOS
- OSPF Metric: Calculation and Tuning on Cisco IOS
- OSPF MD5 Authentication Explained + Configuration on Cisco IOS
- OSPF HMAC-SHA Cryptographic Authentication: Operation and Configuration
- OSPF Multi-Area Topology + a Configuration Lab in Cisco Packet Tracer
- OSPF TTL Security Check Explained: Operation, Example, and Configuration
- OSPF Graceful Shutdown: Operation and Configuration on Cisco IOS
- Route Redistribution Between OSPF and RIP
- OSPF Network Types Explained with Examples on Cisco IOS
- OSPF Totally NSSA (Not-So-Stubby Area) Area Explained with Examples on Cisco IOS
- OSPF NSSA (Not-So-Stubby Area) Area Explained + Configuration on Cisco IOS
- OSPF Summarization Explained + Configuration in Cisco IOS
- OSPF Route Filtering with Distribute Lists Explained + Configuration on Cisco IOS
- OSPF Type 5 LSA Filtering: Suppress LSA Type 5 and 7 Data on Cisco IOS Easily
- OSPF ABR Type 3 LSA Filtering Explained + Configuration on Cisco IOS
- OSPF Prefix Suppression Explained + Configuration on Cisco and Juniper Routers
- OSPF Path Selection: Criteria, Rules & Tiebreaker Explained on Cisco IOS
- OSPF LSA Throttling: Tuning LSA Origination on Cisco IOS
- OSPF SPF Throttling: Scheduling SPF Runs Efficiently
- OSPF Incremental SPF (iSPF) Algorithm: Rebuilding The SPT Tree Fast
- OSPF Non-Broadcast Network Type: Used on Frame-Relay & NBMA Networks
- OSPF Point-to-Point Network Type is for PPP & Frame-Relay Point-to-Point Links
- OSPF Broadcast Network Type: Used on Ethernet and also Frame-Relay
- OSPF Point-to-Multipoint Network Type is for Frame Relay and NBMA Links
- OSPF vs RIP: What Differences Between OSPF and RIP?
- OSPF LSA Group Pacing Explained + Timer Configuration on Cisco IOS
- OSPF LSA Flood Pacing Explained + Timer Configuration on Cisco IOS
- OSPF LSA Retransmission Pacing Explained + Timer Configuration on Cisco IOS
- Troubleshooting OSPF Neighbor Adjacency Problems on Cisco IOS
- Troubleshooting OSPF Route Installation Explained on Cisco IOS
- Troubleshooting OSPF Route Advertisement Explained on Cisco IOS
- OSPF Stub Router: Advertisement + Configuration + Examples
