We help IT Professionals succeed at work.

How do passive interfaces work and when would you use them?

Dragon0x40
Dragon0x40 asked
on
Why would you use a passive interface?

Do passive interfaces work the same in all protocols? IE RIP, OSPF, EIGRP, BGP, IS-IS

In EIGRP I read that passive interfaces don't send any hello, acks etc.. basically doesn't participate in EIGRP at all. But the network attached to the passive interface is still advertised by other active EIGRP interfaces. Is that the same as all other routing protocols?

It is very similar to not having a network statement for the network attached to the passive interface except that the network does get advertised by other active interfaces on that router.

I know one use is when you are connected to another network that you don't want to advertise routes to.
Comment
Watch Question

Commented:
A passive inetrface in essence is a security feature.  You send a new passive PTP or distribution rounting to desires nodes and any other nodes within the same network do not get the update tables.  Only the desired nodes get th updates...

except for  

EIGRP  also suppresses incoming update tables so if a change is made to a connecting point it would have to be manually updated to all desired nodes.

Author

Commented:
thanks elpw,

All passive interfaces are the same except in EIGRP it is different?

Okay, security feature as a use. Any other uses?

Could you explain the passive PTP, distribution and update tables a little more?
Don JohnstonInstructor
Top Expert 2015
Commented:
Making an interface "passive" simply means that no routing protocol traffic will be sent out that interface.

It's not always a security feature. In some routing protocols, there are times when there's no way enable the protocol on one interface but not others. The passive interface command lets you effectively disable the protocol on the interfaces you don't want it running on.


Commented:

When you use the Network statement it enables the protocol to do two things.

1. The protocol will add the Interface Network/Mask to its RIB for advertisement

2.
a. If its a link-state the IGP will send/recieve hello packets out the interface trying to form an adjacency with its neighbors, inorder to begin exhanging routing information
b. Ultimately, both vector and link-state protocols will then send and recieve Routing information out these interfaces.

Now if we make the interface of an Link-state protocol passive it stops the protocol sending or recieving any routing updates - because no adjacency can be formed, hence we cannot learn or advertise. The local interface network/subnet is advertised.

For a distance vector protocol, if we make an interface passsive it stops the protocol from advertising routing updates but the protocol still learns routing updates sent to the interface - remember no adjacency is required for vector protocols to exchange routing information. The local interface network/subnet is advertised.

So they behavior is sometimes different across protocols.

A classic Vector protocol is RIP and Link-state is OSPF.

Author

Commented:
thanks donjohnston and nazsky,

So EIGRP would behave similar to a link-state protocol in the way its passive interface works?

It is a key point that you bring up that the passive interface network still gets advertised through other interfaces that have matching network statements and do not have the passive interface

Commented:
Yes EIGRP would behave similar to a link-state protocol in that a passive interface will not be able to recieve updates since there will be no adjacencies formed on the interface.

Commented:
donjohnston:  You're right, it can be used where mix matched protocols are involved.  I've only used it to prevent rounting of unwanted traffic on a particular segment though.

Good info nazsky.  

Dragon0x40:  PTP should have been FTP in my first reply.  Passive FTP is where the client makes to the server.  In an active connection client send ack then listens for reply from server.  After initial ack a second command is sent that opens a port on the server but instead of under server control t he client also controls that link.  It's a way of circumventing firewall port filtering.

Author

Commented:
>>>Now if we make the interface of an Link-state protocol passive it stops the protocol sending or recieving any routing updates - because no adjacency can be formed, hence we cannot learn or advertise. The local interface network/subnet is advertised.

EIGRP, IS-IS, OSPF and BGP passive-interfaces work as stated above?

>>>For a distance vector protocol, if we make an interface passsive it stops the protocol from advertising routing updates but the protocol still learns routing updates sent to the interface - remember no adjacency is required for vector protocols to exchange routing information. The local interface network/subnet is advertised.

RIPv1 and v2 and IGRP passive interfaces work as stated above?
Don JohnstonInstructor
Top Expert 2015

Commented:
>EIGRP, IS-IS, OSPF and BGP passive-interfaces work as stated above?

Correct.

>RIPv1 and v2 and IGRP passive interfaces work as stated above?

Correct.