How to configure OSPF Passive Interfaces

//

How to configure OSPF Passive Interfaces
Advertisements

OSPF messages are forwarded to all OSPF-enabled interfaces by default. However, some interfaces not needed these messages. When you configure the OSPF protocol on an interface using the network command, two things will occur:

  • All interfaces configured with a network command; will be advertised in OSPF.
  • OSPF hello packets sent on these interfaces periodically.
OSPF Passive Interfaces
How to configure OSPF Passive Interfaces 4

Router1, Router2, Router3 and Router4 has been configured with OSPF protocols. If we Rouer1, connected to network 192.168.10.0 /24 which has no OSPF neighbour. Router1 also wants to advertise this network to other routers.

Once the router is configured with a network command to advertise 192.168.10.0 /24 in OSPF, Router1 will also send OSPF hello packets towards 192.168.10.0/24, where no OSPF enable router is available. So, this is not a good idea because of:

  • Inefficient Use of Bandwidth – The unwanted OSPF multicast messages consumed network bandwidth.
  • Inefficient Use of Resources – The devices on the network also process the message and eventually discard the message.
  • Increased Security Risk – Advertising updates on a broadcast network is also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then Router1 will try to become neighbours. An attacker could advertise fake routes using this technique that misdirect traffic.

Configuring OSPF Passive Interfaces

We can prevent this by configuring “passive-interface”. We can configure OSPF passive interfaces using passive-interface command in router configuration mode.

This command tells OSPF not to send hello packets on desired interfaces. But still, allow that network to be advertised to other routers. Figure 2, below illustrates the configuration of the passive interfaces.

Advertisements
Configure OSPF Router ID 1
How to configure OSPF Passive Interfaces 5

OSPF Passive interfaces accept routing updates but do not send them. as shown in Figure 3. Specifically, the passive-interface command stops routing messages from sending out the particular interface.

But, the network that the particular interface belongs to is still advertised in routing messages that sent out other interfaces. The OSPF passive interfaces cannot form a neighbour adjacency. Because link-state packets cannot be sent or acknowledged over the OSPF passive interfaces.

The show ip protocols command verify the passive-interface configuration, as shown in Figure 3. The fast Ethernet 1/0 interface now listed under the Passive Interface(s) section but network 192.168.10.0 still listed under Routing for Networks; which means that this network is still incorporated as a route entry in OSPF updates.

show ip protocols
How to configure OSPF Passive Interfaces 6

We can also configure all interfaces passive using the “passive-interface default” command. We can cancel the passive Interfaces using the no passive-interface command. The passive-interface command also same both for IPv4 and IPv6.

Advertisements

Avatar of Asad Ijaz

Asad Ijaz

NetworkUstad's lead networking architect with CCIE certification. Specializes in CCNA exam preparation and enterprise network design. Authored 2,800+ technical guides on Cisco systems, BGP routing, and network security protocols since 2018. Picture this: I'm not just someone who writes about tech; I'm a certified expert in the field. I proudly hold the titles of Cisco Certified Network Professional (CCNP) and Cisco Certified Network Associate (CCNA). So, when I talk about networking, I'm not just whistling in the dark; I know my stuff! My website is like a treasure trove of knowledge. You'll find a plethora of articles and tutorials covering a wide range of topics related to networking and cybersecurity. It's not just a website; it's a learning hub for anyone who's eager to dive into the world of bits, bytes, and secure connections. And here's a fun fact: I'm not a lone wolf in this journey. I'm a proud member and Editor of Team NetworkUstad. Together, we're on a mission to empower people with the knowledge they need to navigate the digital landscape safely and effectively. So, if you're ready to embark on a tech-savvy adventure, stick around with me, Asad Ijaz Khattak. We're going to unravel the mysteries of technology, one article at a time!"

→ Asad Ijaz