OSPF is a link-state routing protocol that creates and keeps neighbor relationships by sharing routing updates with other OSPF routers. No routing information is exchanged and the only packets they exchange are Hello packets. Hello packets enables dynamic neighbor discovery and preserve neighbor connections. Passive interface command is used to suppress OSPF hello packets on a specified interface. It is also used in other routing protocols like RIP and EIGRP.
Enabling passive interfaces in our network devices mean that:
- OSPF continues to announce or advertise the interface’s connected network.
- OSPF routers stop sending OSPF Hellos on the interface.
- On the interface, OSPF no longer processes any received Hellos.
Why Do We Use OSPF Passive Interface?
The passive interface should be configured on interfaces that do not have an OSPF router connected to them so that they won’t receive any OSPF information. By silencing routing announcements on network interfaces, we tell the router to “listen but don’t talk.” A protocol’s routing load on the CPU can be reduced by minimizing the number of interfaces with which it must interact. The ‘passive-interface’ command disables OSPF and EIGRP route processing for that interface. If you’re sure the routing protocol won’t need to communicate with anything on the specified interface, use this command.
Another reason to apply passive interface is to increase security. An attacker could start an application that replies with OSPF hello packets then our router will try to establish neighbor relationship. The attacker could then advertise fake routes to misdirect traffic.
OSPF Passive Interface Configuration
There are two ways to configure OSPF passive interface in our network devices.
1. If we only need to configure passive interface on a single or a couple of interfaces, we can individually configure them using the ‘passive-interface’ command:
Router#conf t Router(config)#router ospf 1 Router(config-router)#passive-interface gi0/0/0 Router(config-router)#passive-interface gi0/0/1
2. If we need all interfaces to be passive interfaces and leaving a single or a couple of interfaces non-passive, we can set passive interface as the default configuration by using the ‘passive-interface default’ command:
Router#conf t Router(config)#router ospf 1 Router(config-router)#passive-interface default Router(config-router)#no passive-interface gi0/0/0
To verify our passive interface configuration, we can use the ‘show ip ospf interface command’:
Router#sh ip ospf interface
GigabitEthernet0/0/0 is up, line protocol is up
Internet address is 10.10.10.10/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State WAITING, Priority 1
No designated router on this network
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
No Hellos (Passive interface)
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 0, Adjacent neighbor count is 0
Suppress hello for 0 neighbor(s)
Take note that this interface is no longer sending OSPF Hellos or processing any received Hellos in our OSPF domain.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
