When you use the RIP network command, two things will happen:
- All interfaces that have a network that falls within the range of your network command will be advertised in RIP.
- RIP updates will be sent on these interfaces.
Sometimes, however, you might want to advertise a network in RIP but you don’t want to send updates everywhere. Take a look at the topology below for an example:
Above we have two routers, R1 and R2. On the left side, there’s the 192.168.10.0 /24 network with a switch and some computers. R1 wants to advertise this network to R2 but since there are no other RIP routers in the 192.168.10.0 /24 network, it’s pointless to send RIP updates on the FastEthernet 0/1 interface.
To prevent this from happening, we will use the passive-interface command. This will ensure that the network is advertised in RIP but it will not send RIP updates on the interface.
Let me show you how to configure this.
Here’s the RIP configuration of R1 and R2:
R1(config)#router rip R1(config-router)#version 2 R1(config-router)#no auto-summary R1(config-router)#network 192.168.12.0 R1(config-router)#network 192.168.10.0
R2(config)#router rip R2(config-router)#version 2 R2(config-router)#no auto-summary R2(config-router)#network 192.168.12.0
As a result, R2 will learn network 192.168.10.0 /24:
R2#show ip route rip R 192.168.10.0/24 [120/1] via 192.168.12.1, 00:00:07, FastEthernet0/0
The problem however, is that R1 is also sending RIP updates to our computers. You can verify this by enabling a debug:
R1#debug ip rip RIP: sending v2 update to 188.8.131.52 via FastEthernet0/0 (192.168.12.1) RIP: build update entries 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0 RIP: sending v2 update to 184.108.40.206 via FastEthernet0/1 (192.168.10.254) RIP: build update entries 192.168.12.0/24 via 0.0.0.0, metric 1, tag 0
Above you can see that the RIP updates are going in both directions.
Let’s use the passive interface command to disable the hello packets towards the switch:
R1(config)#router rip R1(config-router)#passive-interface FastEthernet 0/1
That’s all you have to do. You can find all passive interfaces with the following command:
R1#show ip protocols *** IP Routing is NSF aware *** Routing Protocol is "application" Sending updates every 0 seconds Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Maximum path: 32 Routing for Networks: Routing Information Sources: Gateway Distance Last Update Distance: (default is 4) Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 20 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 2 2 Automatic network summarization is not in effect Maximum path: 4 Routing for Networks: 192.168.10.0 192.168.12.0 Passive Interface(s): FastEthernet0/1 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120)
If you left the debug enabled;
R1# RIP: sending v2 update to 220.127.116.11 via FastEthernet0/0 (192.168.12.1) RIP: build update entries 192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
The network is still advertised which we can confirm by checking R2:
R2#show ip route rip R 192.168.10.0/24 [120/1] via 192.168.12.1, 00:00:14, FastEthernet0/0
Problem solved. The network is still advertised but we don’t send any RIP updates anymore towards our computers. You should use this command on all interfaces where you don’t have any RIP routers but you do want to advertise this network to other RIP routers.
If you have many interfaces that should be passive then you can also use the passive-interface default command. This will disable the sending of RIP updates on all interfaces, if you do want to send RIP updates then you need to use the no passive-interface command for these interfaces.
Want to take a look for yourself? Here you will find the final configuration of each device.
hostname R1 ! ip cef ! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 ! interface FastEthernet0/1 ip address 192.168.10.254 255.255.255.0 ! router rip passive-interface FastEthernet0/1 network 192.168.10.0 network 192.168.12.0 no auto-summary ! control-plane ! end
hostname R2 ! ip cef ! interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 ! router rip network 192.168.12.0 no auto-summary ! end
You have now learned how you can use the RIP passive interface command to prevent RIP updates from being sent on particular interfaces.
Do passive interfaces receive RIP updates? For example if we make interface Fa0/0 of R1 passive will it receive RIP updates from R2? If yes, what do you mean by saying that if we install a virtual router on the LAN side, R1 will not receive RIP updates from the virtual router on the passive interface of R1 connected to the LAN ?
If you make it a passive interface then yes, the interface can still receive RIP updates. I removed the sentence about the virtual router because this doesn’t really apply to RIP.
What I mean with a virtual router in this lesson is that someone could use something like GNS3 on their computer to run a virtual Cisco IOS router, configure RIP and send updates towards R1. This is a security risk.
Passive interface for RIP however doesn’t protect against this since RIP will still happily accept updates, even if the interface is passive (it only doesn’t... Continue reading in our forum
Hello Rene. passive-interface default thats is mean , interface dont send rip advertisement on router connected interface too or on all no any router connected router ?
If you use the
passive-interface defaultcommand, it will make ALL interfaces on a router passive, whether connected to another router or not. Once this is enabled, you can then specify which specific interfaces will not be passive using the
I hope this has been helpful!