Get Full Access to our 739 Cisco Lessons Now Start $1 Trial
You are here: Home » Cisco » CCNP ENCOR 350-401

OSPF Passive Interface

When you use the network command in OSPF, two things will happen:

  • All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
  • OSPF hello packets are sent on these interfaces.

Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:

OSPF Passive Interface Lab Topology

R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.

Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.

To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…

Configuration

Here’s the OSPF configuration of R1 and R2:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0

With the above configuration, R2 will learn network 192.168.10.0 /24:

R2#show ip route ospf 
O    192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0

This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:

R1#debug ip ospf hello 
OSPF hello events debugging is on

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.10.254

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1

Above you can see that hello packets are sent in both directions.

EIGRP Sending Hello Packets

Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:

R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1

You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

542 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Rene!
    You mention that passive-interface command is preventing an interface from sending hello packets.
    I’d like to know technically does it prevent interface from RECEIVING hello packets as well?
    Also, I read in an official Cisco literature that it is recommended ISP facing interfaces to be passive for security.
    However I don’t understand, if this is the case how is my router going to receive routing to external destinations using OSPF if it doesn’t become neighbor
    with the next hop.
    Thank you in advance!

  2. Hi Ivaylo,

    It won’t prevent us from receiving the hello packets but I believe it does stop processing them. Here’s a little experiment I did with two routers, directly connected to each other:

    R1#debug ip ospf hello 
OSPF hello debugging is on

    Now we can see we are sending and receiving hello packets:

    R1#
OSPF-1 HELLO Gi0/1: Send hello to 224.0.0.5 area 0 from 192.168.12.1
OSPF-1 HELLO Gi0/1: Rcv hello from 2.2.2.2 area 0 192.168.12.2

    Let’s make the interface passive:

    R1(config)#router ospf 1
R1(config-router)#passive-interface GigabitEthernet 0/1

    At this mo

    ... Continue reading in our forum

  3. Hi Ahmad,

    OSPF and EIGRP have one thing in common, they both establish a neighbor adjacency before they advertise any routing information. RIP doesn’t establish a neighbor adjacency, it just advertises routing updates.

    When you use the passive interface command for RIP then it stops advertising RIP routing updates on that interface. When you use it for OSPF or EIGRP, they won’t send any hello packets anymore so that it becomes impossible to establish a neighbor adjacency on the passive interface.

    Rene

  4. Hello Monir

    When you indicate that an interface is passive, it means that any and all OSPF related messages are never sent out that interface. The connected network does participate in the OSPF process, that is, the connected subnet is advertised to other OSPF routers, but no hellos, LSAs or any other OSPF related packets are sent out that interface.

    The passive interface is configured on interfaces where you KNOW there is no OSPF router connected to it to receive any kind of OSPF information.

    I hope this has been helpful!

    Laz

  5. Hello Sumu

    When a router is enabled with OSPF, it sends hello packets outside ALL of its network interfaces by default regardless of which subnets are participating in OSPF, regardless of which subnets are included in the network command.

    The statement

    “All interfaces that have a network that falls within the range of the network command will be advertised in OSPF”

    means that the advertisements that are sent will include information about these networks. This means that by default, hello packets will be sent on all interfaces including Fa0/0 and Fa0/1 and wi

    ... Continue reading in our forum

15 more replies! Ask a question or join the discussion by visiting our Community Forum