OSPF Passive Interface

When you use the network command in OSPF, two things will happen:

  • All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
  • OSPF hello packets are sent on these interfaces.

Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:

OSPF Passive Interface Lab Topology

R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.

Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.

To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…

Configuration

Here’s the OSPF configuration of R1 and R2:

R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0

With the above configuration, R2 will learn network 192.168.10.0 /24:

R2#show ip route ospf 
O    192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0

This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:

R1#debug ip ospf hello 
OSPF hello events debugging is on

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.10.254

OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1

Above you can see that hello packets are sent in both directions.

EIGRP Sending Hello Packets

Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:

R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1

You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

506 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hi Regina,

    The configuration on the Cisco switch is pretty straightforward. The interface connected to the router has to be a trunk:

    interface fa0/24
    description LINK_TO_ROUTER
    switchport mode trunk
    

    And the interfaces that connect to the host are regular access ports:

    interface fa0/1

    description HOST_IN_VLAN_10
    switchport mode access
    switchport access vlan 10
    

    You don’t need to use VLAN SVIs…a layer 2 switch uses the SVI only for management purposes. A layer 3 switch uses a SVI per VLAN which hosts can use as default gateway (in that case you don’t need a

    ... Continue reading in our forum

  2. Hi Rene/Moderators,

    What happens if I do not configure the sub interfaces?
    Would only intervlan routing be affected?
    What if they are on the same vlan?

  3. Hello Ian

    If you don’t configure subinterfaces on the router, then no tagged traffic will enter the interface. The switch is set up to send frames to the router using dot1q encapsulation. This is where the VLAN number of each specific frame is added to the header as a tag. When the router receives these frames, it will drop them because they include a tag. By adding subinterfaces and the appropriate dot1q encapsulation, you are allowing the router to be able to receive tagged frames and to allow them to egress on the appropriate subinterface.

    If communicati

    ... Continue reading in our forum

  4. Hi if any rate limit configuration needs to be done on the interface we should do in interface level or sub interface level

  5. Question. I see you created sub-interfaces on the routers 0/0 interface. I understand that. But what if you did not use sub-interfaces. What if instead you assigned Router Fa0/0 to ip address 192.168.10.1 and you assigned Router interface fa0/1 to ip address 192.168.20.1. So two connected routes (2 separate IP addresses) on the router connected to the same single switch (switch is divided into VLAN 10 and VLAN 20). Would that work?

30 more replies! Ask a question or join the discussion by visiting our Community Forum