Passive-interface

Similar Messages

• Passive interface command on RIP

  Hi all,
  This command below
  passive-interface command give additional information to RIP, that it can't send updates via this particular interface ---
  As per my understanding is this if we have 2 routers that are directly connected with each other and we enable this command on the interface of one of
  routers then that router will not send any RIP updates to other router right?
  secondly if these 2 routers are point to point connection we can ping directly conencted interfaces IP of  routers because they are directly connected even though there is no routing protocol running between these two right?
  3rd thing when i run sh ip protocols on one of router it shows
  Routing Protocol is "rip"
    Sending updates every 30 seconds, next due in 1 seconds
    Invalid after 180 seconds, hold down 180, flushed after 240
    Outgoing update filter list for all interfaces is not set
    Incoming update filter list for all interfaces is not set
    Redistributing: rip
    Default version control: send version 2, receive version 2
      Interface             Send  Recv  Triggered RIP  Key-chain
      FastEthernet0/0       2     2
    Automatic network summarization is in effect
    Maximum path: 4
    Routing for Networks:
      192.168.4.0
    Routing Information Sources:
      Gateway         Distance      Last Update
      192.168.4.2          120      00:23:38 ****************************************************
  here last update time keeps on incrementing but  sh ip route does not show now that rip is running.
  so this line means
  Invalid after 180 seconds, hold down 180, flushed after 240
  that after 240 secs router will flush the rip routes fron the routing table right?
  but sh ip protocol  will always show rip as routing protocol as we have config the rip and last update time will keep on incrementing right?
  thanks
  mahesh

  Hi Mahesh,
  From the config guide:
  To control the set of interfaces with which you  want to exchange routing updates, you can disable the sending of routing  updates on specified interfaces by configuring the
  passive-interface
  here is the link:
  http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1crip.html
  Correct, you do not need a routing protocol.  The interfaces are directly connected.  Now, if for example you add a loopback address to each router, you need a routing protocol or static router to reach the opposite router's loopback address.
  The reason the interfaces/IPs do not show up in the RIP routing table is because they are directly connected and directly connected routes have a lower admin distance (1) which is preferred over rip which is 120.
  yes
  HTH

• IOS-XR: EIGRP passive-interface default?

  It appears there's no ability to make all interfaces passive by default in XR as there is in IOS.
  Is there a reason for this or is it just that it has not been included yet?
  Workaround is to configure all unnecessary interfaces as passive but I prefer to have all passive and then only enabled where needed.
  TIA,

  Hi Gary,
  I filed request CSCug38048 for this. It may take a day or so for it to show up in teh bug toolkit, but then you have something for tracking. I dont have a definitive release for this either, but I am trying to see if we can do this short(er) term.
  As for the other question on the use of passive sparingly. I don't necessarily agree with that statement. Passive is very useful to include prefixes in the advertisement, but to prevent forming adj. Loopbacks are to be made passive, because it is a waste of cpy cycles trying to generate a hello on that stub interface and then drop it in software. Passive is the proper solution. Same thing with access facing interfaces that dont need adj to the CE's, but have to be included in the routing.
  The alternative of using redistribute connected is indeed an option, but the disadvantage for that is that it creates EXTERNAL routes, in both OSPF and EIGRP, with different metric calculations.
  The magnitude of "many" in this regard is dependent on the number of times you don't mind configuring "passive-interface" under the eigrp enabled interface configuration. For me personally that would be about 20
  What I mean to say is, it is not dependent on a scaling limitation or anything other then operator/user.
  cheers!
  xander

• Passive-interface default on eigrp

  When using the passive-interface default on a router, to advertise networks you have to use the no passive-interface Vlan20, for example, what happens to the following network statements, are they ignored? For example, I have the following config:
  router eigrp 1
  passive-interface default
  no passive-interface vlan 1
  no passive-interface vlan 2
  no passive-interface vlan 3
  no passive-interface vlan 4
  network 10.0.0.0
  network 172.0.0.0
  no auto-summary
  Will I still advertise the networks defined over the vlan interfaces?
  Just curious.

  Hi Mason,
  There is some historical reasoning here. Until IOS release 12.0(4)T, you could not specify a wildcard mask when configuring the 'network' statement for EIGRP. In fact, the 'network' statement would only accept classful (i.e. major) networks at that time. So the ability to add a wildcard mask has been a relatively recent invention.
  However, there is absolutely no problem with using a '0.0.0.0' wildcard in order to limit the network statement to a single IP address. From a convenience perspective, though, people tend to use a wildcard mask that reflects the actual subnet mask used on the interface. Either way is perfectly acceptable.
  Now, if you are using a protocol such as OSPF, the wildcard mask becomes a bit more significant. The following link describes why that is so:
  http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009405a.shtml
  Hope that helps - pls do rate the post if it does.
  Paresh

• Passive-interface default resets configuration

  Hello all,
  I would like to run a scenario by you guys and get your input regarding the "passive-interface default" OSPF command. Let's assume I am working on an existing configured OSPF router with the following configuration:
  router ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0
  If I go and paste the duplicate configuration in as follows what would the expected result be?
  router ospf 1 router-id 10.10.10.1 passive-interface default
  My thoughts were that there would be no impact to OSPF, routing, or the likes. Unfortunately this is not the case. I have found on my device that when you repaste the "passive-interface default" command in to the config that it actually resets all existing "no passive-interface" commands and enables passive-interface on all interfaces globally.
  Router#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default no passive-interface GigabitEthernet6/1 no passive-interface GigabitEthernet6/2 network 10.10.10.0Router#config tRouter(config)#router ospf 1Router(config-router)# passive-interface defaultRouter(config-router)#endRouter#sh run | sec router ospfrouter ospf 1 router-id 10.10.10.1 passive-interface default network 10.10.10.0
  This is especially bad if you are performing maintenance on the router out of network where your connectivity requires a default route to be learned via OSPF. Has anyone else encountered this or do they feel this behavior to be a bit odd?

  Documentation says:
  "The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the nopassive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces."
  I'm not sure why it doesn't honor the existing no passive-interface commands but maybe it was something in the code that was necessary to put them all passive first.
  At least it's good that you tested the behavior so you know what to expect. If you already have passive-interface why would you want to enter it again? If you want to make interfaces passive that were non passive before you could do no no-passive interface x/x.
  Daniel Dib
  CCIE #37149

• "mpls traffic eng passive-interface" mapping on XR

  Dears,
  ON IOS for TE-InterAS ,the command "mpls traffic-eng passive-interface" is used on InterAS link which isn't running IGP so i am seeking for the equivlent command on XR but i can't find it so please advise what is the equivlent command on XR
  Thanks

  Hello Amr,
  There is no equivalent command on IOS-XR. Are you trying to set up Inter-AS MPLS TE on XR? In IOS-XR, inter-AS tunnels are supported only by using verbatim path-options. Verbatim path-options are supported on both IOS and IOS-XR.
  HTH,
  Rivalino

• Pix/Asa OSPF passive interface

  Hi.
  I am going to have an OSPF process for two internal interfaces. But I also have one external interface where I do not want any OSPF traffic going out. I have not so far found any OSPF PASSIVE INTERFACE type of commands om PIX/ASA. Is there any one out there who knows if there is one command like that or how one can stop OSPF packet from going out. I presume that an outgoing access-list will not stop this traffic.
  Regards Bjorn

  Hi,
  Don't define external interface as partecipating to OSPF process.
  That is you have to define the two interface partecipating to OSPF process:
  view: "Enabling OSPF ". Here is the link:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ip.html#wp1041629.
  I hope this helps.
  Best regards.
  Massimiliano.

• EIGRP network vs. no passive-interface

  What is the difference between configuring EIGRP with the "network" command, then specifying the IP addresses of the interfaces you want to use OR using the no passive-interface command.
  The examples below might make more sense:
  gi0/0.1 has an IP of 192.168.1.1
  gi0/0.2 has an IP of 192.168.2.1
  s1/0 has an IP of 192.168.3.1
  s1/0 has an IP of 192.168.4.1
  router eigrp 100
  passive-interface default
  no passive-interface GigabitEthernet0/0.1
  no passive-interface GigabitEthernet0/0.2
  no passive-interface Serial1/0
  no passive-interface Serial1/1
  network 192.168.0.0
  no auto-summary
  router eigrp 100
  network 192.168.1.1
  network 192.168.2.1
  network 192.168.3.1
  network 192.168.4.1
  no auto-summary
  Don't both of these configurations accomplish the same thing? If so, is there any advantage to using one over the other?
  Thanks,
  Nate

  Actually, on a technecality, they do not do the same thing. And it is one of the subtlties of the behavior of EIGRP that may be important to understand when preparing for the CCIE or when administering an EIGRP network.
  The important aspect to recognize here is the classful network boundaries. The first example had network 192.168.0.0. This happens to be a class C network. And EIGRP would be looking for interfaces that are in that particular network. And it would not process the interfaces on 192.168.1.0 or 192.168.2.0 etc. Even though EIGRP works very well in a classless addressing environment, its roots are in a classful background. And one manifestation of that is the default behavior to treat the network statement as looking for classful boundaries. So in fact if you configure EIGRP with network 192.168.1.1 and then do a show run what you will see is 192.168.1.0 because EIGRP is processing classful network boundaries.
  If the example had used a class B like 172.16.1.1 and 172.16.2.1 etc then the two approaches would have produced the same results.
  There are two more aspects of this I would like to comment on. One is the background of the passive default. This ties back to the essentially classful nature of the processing that EIGRP does on the network statement. If you were bringing up a router that would eventually have many interfaces that would be subnets of the same classful network and you put in network 172.16.0.0 then EIGRP would attempt to process every interface with an address in the subnets of that network. But you might not want them to be advertised when they were configured, you might want to wait till there was actually something deployed there, or perhaps you might not want EIGRP to process a particular interface at all (perhaps that interface connected to something external to your network. Cisco introduced the passive default to accomodate this situation. With passive default EIGRP does not process the interface till you specifically activate it.
  Another interesting aspect is that Cisco then introduced the ability within EIGRP to use a netmask on the network statement which allows you to specifically identify the particular interface you want to process. This addresses the classful default behavior and makes EIGRP truly more of a classless routing protocol.
  So lets take the example that started this discussion and change it a little bit. Suppose there was a router with interfaces 172.16.1.1, 172.16.2.1, 172.16.3.1, and 172.16.4.1. And suppose that you wanted (for whatever reason) to include 1, 2, and 4 but not 3. How could you do it?
  The more traditional solution would be to use passive default and leave the 3 as passive. Or the more recent solution would be to use network statements with netmask to include only the specific interfaces that you wanted.
  HTH
  Rick

• Passive interface on a SVI, does that work or not?

  Hello all,
  At my office, I am trying to clean some of the routing table and fix some routing issues. We run eigrp for internal network. In one of the routers, eigrp neighbor relationship is through SVIs only. I'm actively trying to use "passive interface default" for all the L3 devices, and doing "no passive... " for the interfaces that are currently forming neighbor relationship. So, does that work the same for SVIs? Do I just do "no passive interface default int vlan XX" for all the SVI that are forming the neighbor relationship? will that work the same as for a physical interface? or do I need to track the physical ports that are actively using that vlan? I have looked around and haven't found a definitive answer. I would really appreciate some help.
  Thank you in advance.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I know it works for OSPF, I would assume it would for EIGRP too, but cannot say for sure.

• Passive interface vlan 50

  Hi
  i need to know with detail what does it mean this command"passive interface vlan 50"?;description;usefulllink it is very much appreciated.
  10xs
  ali

  Hi Ali,
  "passive-interface" router configuration command is applied to stop sending routing updates on an interface.
  It behaves different for different routing protocol like for EIGRP the passive-interface command disables the transmission and receipt of EIGRP hello packets on an interface so the neighborship will not form on that interface which is configured as passive interface.
  In OSPF, hello packets are not sent on an interface that is specified as passive. Hence, the router will not be able to discover any neighbors, and none of the OSPF neighbors will be able to see the router on that network.
  But for RIP and IGRP it does not send the routing updates out on that interface which is configured as passive but still that interface will be advertised out from other interfaces.
  Have a look at this link for more details
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a008008784e.html#wp11573
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt2/1cfindep.htm#wp1019396
  Now depending upon the routing protocol you have configured interface vlan 50 will not advertise the routes out from the interface vlan 50 and if you have configured eigrp or ospf it will not form any neighborship with peer on interface vlan 50.
  HTH, if yes please rate the post.
  Ankur

• VRF & OSPF passive interfaces

  Hello,
  if configuring OSPF for a VRF you cannot configure passive interfaces! The command does not even exist!
  This seems to be related to CSCeb86068.
  Does anyone have experiences with that issue??
  Any intelligent solution??
  Thanks
  Juerg

  1.For no neighbor in your VPN, you can try BGP as PE-CE routing protocol.
  router bgp 65000
  address-family ipv4 vrf school
  network x.x.x.x mask x.x.x.x
  no auto-summary
  no synchronization
  exit-address-family
  R1#v all 172.16.1.0
  BGP routing table entry for 172:16:172.16.1.0/24, version 373
  Paths: (1 available, best #1, table school)
  Flag: 0x820
  Advertised to update-groups:
  1 2
  Local
  0.0.0.0 from 0.0.0.0 (172.16.0.1)
  Origin IGP, metric 0, localpref 100, weight 32768, valid, sourced, local, best
  Extended Community: RT:172:16
  2.If you still need use ospf and passive interface in your ospf vrf, upgrade to 12.4.2 or above. :)

• Question on passive serial sub interface EIGRP

                     Hi Everyone,
  I know how passive interface default works in EIGRP.
  I need to confirm below say we have
  se0/0/0
  no ip address
  se0/0/0.10
  ip address 192.168.50.1 x.x.x.x
  Router eigrp 100
  passive interface default
  no passive interface se0/0/0
  I do not have device to test this so need to confirm if i also need command
  no passive interface se0/0/0.10 or not?
  Regards
  Mahesh

  Mahesh
  I do not have any device that would allow me to test this either. But I believe that you need to specify the subinterface and not just the physical interface.
  HTH
  Rick

• EEM Script to set interface passive

  Hello All,
  I am running OSPF in my domain. I want to put an interface in the passive state after a flap or multiple flaps. For example, if I get a log that states:
  2012 Sep  1 00:08:47 %ETHPORT-5-IF_DOWN_LINK_FAILURE: Interface Ethernet1/44 is down (Link failure)
  to be able to perform:
  enable
  conf t
  interface Ethernet1/44
  ip ospf passive-interface
  end wr
  FYI this concerns a Nexus 3K running NX-OS 5.0(3)U3(2).
  Thanks for your help.

  I haven't used EEM on the 3K yet.  However, I think it has similar support to the 7K, so this should work:
  event manager applet ethport override __ethpm_link_flap
     event policy-default count 2 time 1000
     action 1 cli conf t
     action 2 cli int $interface
     action 3 cli ip ospf passive-interface
     action 4 cli end
  You can't use syslog here since you can't parse the message to get the interface.  While you could using Python or Tcl to do this, executing scripts out of EEM applets is not officially supported.  So this applet should set an interface that flaps twice within 1000 seconds to be an OSPF passive interface.

• OSPF with ipsec VTI interface goes down before dead timer.

  I have a strange issue that OSPF will initially start working, hellos are exchanged both ways but then after about 3 – 6 hellos one of the sides stops getting them and the ipsec VTI tunnel drops on router A even before the dead timer reaches 0. Is this default behavior, when OSPF is over a VTI interface if it doesn’t receive hellos is drops the tunnel?
  I’m at a loss as to what is going on since it looks like only one neighbor stops receiving hellos, router A, for a brief period of time. This VTI tunnel is going over another provider’s FW and they have assured me the tunnel destination/source ips are wide open they also sent me the ACL and I can verify this. The weird thing is if I enable EIGRP it works great with no issues. On router B I am using the same source/ip unnumbered  interface on multiple VTI tunnels to to other destinations but this shouldn’t cause any issues I don’t think. I have never had an issue like this and from what I can tell the router A just stops briefly getting hellos after 3 – 6 initial hellos and drops the protocol on the VTI interface. If I set the dead timer on router A long enough it will stop receiving hellos but stay up and then after a while you get “LOADING to FULL” as the hellos start coming in again.  Again the tunnel goes over a cisco 800 which I have no control over it and a potential FW before that but I saw the ACL and ip is being allowed. I was thinking this could be a trolling issue on the FW but it doesn’t explain why EIGRP works.  FYI I was having a recursive routing issue before but I have since fixed that and the issue still continues.
  ********  it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command
  "If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "
  Router A:
  router ospf 1
  router-id 10.213.22.2
  passive-interface default
  network x.x.97.26 0.0.0.0 area 0
  interface Tunnel1
  ip unnumbered GigabitEthernet0/1
  ip virtual-reassembly in
  ip tcp adjust-mss 1398
  ip ospf network point-to-point
  load-interval 30
  tunnel source GigabitEthernet0/1
  tunnel mode ipsec ipv4
  tunnel destination x.x.173.109
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VTI-to-NB
  router B:
  router ospf 1
  router-id 172.17.2.6
  priority 1
  redistribute static subnets route-map Lan-static-RM
  passive-interface default
  no passive-interface Tunnel1
  no passive-interface Tunnel4
  no passive-interface Tunnel5
  network x.x.173.109 0.0.0.0 area 0
  network 172.17.2.6 0.0.0.0 area 0
  network 192.168.1.47 0.0.0.0 area 0
  interface Tunnel4
  ip unnumbered GigabitEthernet0/2
  ip virtual-reassembly in
  ip tcp adjust-mss 1398
  ip ospf network point-to-point
  load-interval 30
  tunnel source GigabitEthernet0/2
  tunnel mode ipsec ipv4
  tunnel destination x.x.97.26
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VTI_NB_to_dorrance_prv
  end
  thanks P

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  I haven't studied your config, but I can tell you I have production environment using OSPF across VTI  (and GRE, and GRE/IPSec and DMVPN) tunnels without issue.  I.e. so OSPF can be okay with VTI tunnels.

• How to Supress Hello packets on an interface enabled for OSPF

  As I understand it, enabling an interface to join an area with the
  NETWORK command, also causes Hello packets to be sent out the
  interface. But if its a stub network, and you want it advertised, but
  there is no need for Hello packets to be sent out the interface, how do
  you suppress them?
  The passive-interface command seems to be discouraged in OSPF, since
  there is far more granular control over which interfaces are affected
  by the network command.
  The "redistribute connected subnets" could be used after entering the
  network command with a very restrictive mask that advertises only
  non-stub network interface(s). But that seems to open a whole new can
  of redristribute issues.
  This is simple to do, right?
  Cheers

  I don't why passive interface would be discouraged in OSPF--I've seen it used a lot in the networks I've worked on. In fact, with the advent of the passive-interface default command, it's much easier use passive interface in all the routing protocols.
  The general rule of thumb is, if you want the routes to be internals, then use passive interface. If you want them to be externals, then use redistribute connected. You can filter the routes you pull in through redistribute connected using a route map. You can control which interfaces are pulled in through passive using the network statement.
  Russ.W