How to Configure EIGRP Passive-Interface
A passive interface is used in all routing protocols, where we can stop sending updates from a specific interface. The behavior varies from one protocol to another. In EIGRP, using the passive-interface, we stop sending outgoing hello packets; therefore, the router cannot form any neighbor adjacencies via the passive interface. This behavior stops both outgoing and incoming routing updates.
The passive-interface command can be used to stop the neighbor adjacencies. The command can be used in router configuration mode. We enable a passive interface to suppress unnecessary update traffic, for example, when an interface is a LAN interface with no other routers connected. It also increases security controls, such as stopping an unknown scoundrel routing device from receiving EIGRP updates. Figure 1 illustrates the R1, R2, and R3 where neighbor routers are not attached with interfaces GigabitEthernet 0/2 interfaces of R1, GigabitEthernet 0/2 interfaces of R2, and GigabitEthernet 0/2 interfaces of R3. The command syntax is the following:
Router(config-router)# passive-interface <interface-type interface-number>
![EIGRPPassiveInterface1 NetworkUstad](https://i0.wp.com/networkustad.com/wp-content/uploads/2024/05/EIGRP-Passive-Interface-1.png?resize=768%2C667&ssl=1)
Passive Interface
The passive-interface command prevents the exchange of routes on these interfaces, but EIGRP still includes these interfaces and their addresses in routing updates. The passive interface configuration for the above topology is as under:
Router R1 R1(config)#router eigrp 1 R1(config-router)# passive-interface gigabitEthernet 0/2 Router R2 R2(config)#router eigrp 1 R2(config-router)# passive-interface gigabitEthernet 0/2 Router R3 R3(config)#router eigrp 1 R3(config-router)# passive-interface gigabitEthernet 0/2 |
Using the passive-interface default command, we can configure all interfaces as passive. To disable an interface as passive, we can use the no passive-interface interface-type interface-number command in router configuration mode.
The passive interface increases security by preventing the hello packet from An example of using the passive-interface to increase security controls is
When a network connects to a third-party organization, where the network administrator has no control, such as when connecting to an ISP network. In this case, the local network required to advertise the interface link through a local network. This is a security risk if the ISP sends or receives a routing update to the local network devices. Anyone can compromise the local network through an ISP. So, in this case, we can set the interface connected to the ISP as a passive interface.
Verifying the Passive Interface
We can verify the interface on a router configured as passive, using the “show ip protocols” command in privileged EXEC mode. Figure 2 illustrates the output of this command on router R1. Notice that a GigabitEthernet 0/2 interface of R1 is a passive interface, but the address for this interface 192.168.0.0 is still included the routing update.