As soon as a new interface is enabled within the EIGRP network, EIGRP attempts to form a neighbor adjacency with any neighboring routers to send and receive EIGRP updates.
At times it may be necessary, or advantageous, to include a directly connected network in the EIGRP routing update, but not allow any neighbor adjacencies off of that interface to form. The passive-interface command can be used to prevent the neighbor adjacencies. There are two primary reasons for enabling the passive-interface command:
- To suppress unnecessary update traffic, such as when an interface is a LAN interface, with no other routers connected
- To increase security controls, such as preventing unknown rogue routing devices from receiving EIGRP updates
Figure 1 shows R1, R2, and R3 do not have neighbors on their GigabitEthernet 0/0 interfaces.
The passive-interface router configuration mode command disables the transmission and receipt of EIGRP Hello packets on these interfaces.
Router(config)# router eigrp as-number
Router(config-router)# passive-interface interface-type interface-number
Figure 2 shows the passive-interface command configured to suppress Hello packets on the LANs for R1 and R3. R2 is configured using the Syntax Checker.
Without a neighbor adjacency, EIGRP cannot exchange routes with a neighbor. Therefore, the passive-interface command prevents the exchange of routes on the interface. Although EIGRP does not send or receive routing updates on an interface configured with the passive-interface command, it still includes the address of the interface in routing updates sent out of other non-passive interfaces.
Note: To configure all interfaces as passive, use the passive-interface default command. To disable an interface as passive, use the no passive-interface interface-type interface-number command.
An example of using the passive interface to increase security controls is when a network must connect to a third-party organization, for which the local administrator has no control, such as when connecting to an ISP network. In this case, the local network administrator would need to advertise the interface link through their own network, but would not want the third-party organization to receive or send routing updates to the local routing device, as this is a security risk.
Verifying the Passive Interface
To verify whether any interface on a router is configured as passive, use the show ip protocols privileged EXEC mode command, as shown in Figure 3. Notice that although R3’s GigabitEthernet 0/0 interface is a passive interface, EIGRP still includes the interface’s network address of 192.168.1.0 network in its routing updates.
Use the Syntax Checker in Figure 4 to configure R2 to suppress EIGRP Hello packets on its GigabitEthernet 0/0 interface.