Passive-interface is used in all routing protocols where we can stop sending updates out from a specific interface. The behaviour varies from one protocol to another. In EIGRP, using the passive interface, we stop sending outgoing hello packets, therefore the router cannot form any neighbour adjacencies via the passive interface. This behaviour stops both outgoing and incoming routing updates.
|The passive-interface command can be used to stop the neighbour adjacencies. The command can be used in router configuration mode. We enable a passive interface to suppress unnecessary update traffic, for example when an interface is a LAN interface, with no other routers connected. It also increases the security controls, such as stopping an unknown scoundrel routing devices from receiving EIGRP updates. Figure 1 illustrates the R1, R2, and R3 where neighbours routers are not attached with interfaces GigabitEthernet 0/2 interfaces of R1, GigabitEthernet 0/2 interfaces of R2 and GigabitEthernet 0/2 interfaces of R3. The command syntax is the following:
Router(config-router)# passive-interface <interface-type interface-number>
The passive-interface command prevents the exchange of routes on these interfaces but EIGRP still includes these interfaces and their addresses in routing updates. The passive interface configuration for the above topology is as under:
R1(config)#router eigrp 1
R1(config-router)# passive-interface gigabitEthernet 0/2
R2(config)#router eigrp 1
R2(config-router)# passive-interface gigabitEthernet 0/2
R3(config)#router eigrp 1
R3(config-router)# passive-interface gigabitEthernet 0/2
We can configure all interfaces as passive, using the passive-interface default command. To disable an interface as passive, we can use the no passive-interface interface-type interface-number command in router configuration mode.
The passive interface increase the security by preventing the hello packet from An example of using the passive interface to increase security controls is
When a network connects to a third-party organization, where the network administrator has no control, such as when connecting to an ISP network. In this case, the local network required to advertise the interface link through a local network. If the ISP sends or receives a routing update to the local network devices, this is a security risk. Anyone can compromise the local network through ISP. So in this case we can set the interface connected to ISP as a passive interface.
Verifying the Passive Interface
We can verify the interface on a router configured as passive, using the “show ip protocols” command in privileged EXEC mode. Figure 2 illustrates the output of this command on router R1. Notice that a GigabitEthernet 0/2 interface of R1 is a passive interface, but the address for this interface 192.168.0.0 is still included the routing update.