Lesson Contents
When you use the RIP network command, two things will happen:
- All interfaces that have a network that falls within the range of your network command will be advertised in RIP.
- RIP updates will be sent on these interfaces.
Sometimes, however, you might want to advertise a network in RIP but you don’t want to send updates everywhere. Take a look at the topology below for an example:
Above we have two routers, R1 and R2. On the left side, there’s the 192.168.10.0 /24 network with a switch and some computers. R1 wants to advertise this network to R2 but since there are no other RIP routers in the 192.168.10.0 /24 network, it’s pointless to send RIP updates on the FastEthernet 0/1 interface.
To prevent this from happening, we will use the passive-interface command. This will ensure that the network is advertised in RIP but it will not send RIP updates on the interface.
Let me show you how to configure this.
Configuration
Here’s the RIP configuration of R1 and R2:
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#no auto-summary
R1(config-router)#network 192.168.12.0
R1(config-router)#network 192.168.10.0
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#network 192.168.12.0
As a result, R2 will learn network 192.168.10.0 /24:
R2#show ip route rip
R 192.168.10.0/24 [120/1] via 192.168.12.1, 00:00:07, FastEthernet0/0
The problem however, is that R1 is also sending RIP updates to our computers. You can verify this by enabling a debug:
R1#debug ip rip
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.12.1)
RIP: build update entries
192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/1 (192.168.10.254)
RIP: build update entries
192.168.12.0/24 via 0.0.0.0, metric 1, tag 0
Above you can see that the RIP updates are going in both directions.
Let’s use the passive interface command to disable the hello packets towards the switch:
R1(config)#router rip
R1(config-router)#passive-interface FastEthernet 0/1
That’s all you have to do. You can find all passive interfaces with the following command:
R1#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4)
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 20 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
192.168.10.0
192.168.12.0
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)
If you left the debug enabled;
R1#
RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (192.168.12.1)
RIP: build update entries
192.168.10.0/24 via 0.0.0.0, metric 1, tag 0
The network is still advertised which we can confirm by checking R2:
R2#show ip route rip
R 192.168.10.0/24 [120/1] via 192.168.12.1, 00:00:14, FastEthernet0/0
Problem solved. The network is still advertised but we don’t send any RIP updates anymore towards our computers. You should use this command on all interfaces where you don’t have any RIP routers but you do want to advertise this network to other RIP routers.
If you have many interfaces that should be passive then you can also use the passive-interface default command. This will disable the sending of RIP updates on all interfaces, if you do want to send RIP updates then you need to use the no passive-interface command for these interfaces.
Configurations
Want to take a look for yourself? Here you will find the final configuration of each device.
R1
hostname R1
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.10.254 255.255.255.0
!
router rip
passive-interface FastEthernet0/1
network 192.168.10.0
network 192.168.12.0
no auto-summary
!
control-plane
!
end
R2
hostname R2
!
ip cef
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
!
router rip
network 192.168.12.0
no auto-summary
!
end
Conclusion
You have now learned how you can use the RIP passive interface command to prevent RIP updates from being sent on particular interfaces.
Hello
Do passive interfaces receive RIP updates? For example if we make interface Fa0/0 of R1 passive will it receive RIP updates from R2? If yes, what do you mean by saying that if we install a virtual router on the LAN side, R1 will not receive RIP updates from the virtual router on the passive interface of R1 connected to the LAN ?
Thank you
Hello Markos,
If you make it a passive interface then yes, the interface can still receive RIP updates. I removed the sentence about the virtual router because this doesn’t really apply to RIP.
What I mean with a virtual router in this lesson is that someone could use something like GNS3 on their computer to run a virtual Cisco IOS router, configure RIP and send updates towards R1. This is a security risk.
Passive interface for RIP however doesn’t protect against this since RIP will still happily accept updates, even if the interface is passive (it only doesn’t
... Continue reading in our forumHello Rene. passive-interface default thats is mean , interface dont send rip advertisement on router connected interface too or on all no any router connected router ?
Hello Emil
If you use the
passive-interface default
command, it will make ALL interfaces on a router passive, whether connected to another router or not. Once this is enabled, you can then specify which specific interfaces will not be passive using theno passive-interface
command.I hope this has been helpful!
Laz