passive-interface command RIP and loopback interfaces

Hey peoples,

just a quick question, we have a cisco router which is running RIPv2. This router has two loopback interfaces which we don't need to be participating in RIP routing but in the routing table they are being shown.

can i just use the passive-interface loopback 0 to supress RIP from these interfaces?

p.s i think they are being advertised through RIP because of the redistribute connected command.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

r_durant

I could possibly say yes here. I say possibly, because I've tried it with physical interfaces, but not loopback interfaces, and it did stop the interfaces from participating in RIP...

rakem

so here is the config:

Building configuration...

Current configuration : 3669 bytes
!
version 12.4

interface Loopback0
description Used for telnet access
ip address 203.xxx.xxx.xx6 255.255.255.255
!
interface Loopback1
description outbound Internet access IP
ip address 203.xxx.xxx.xx7 255.255.255.255
!

router rip
version 2
timers basic 10 30 30 30
redistribute connected
passive-interface Loopback0
passive-interface Loopback1
network 10.0.0.0
distribute-list 2 out FastEthernet0/0
distribute-list 1 in
no auto-summary
!

end

NSW-CP#sh ip route
: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.250.247.137 to network 0.0.0.0

R 210.xxx.xxx.0 [120/1] via 10.250.247.137, 00:00:03, Serial0/0/0.1
203.xxx.xxx.0/32 is subnetted, 2 subnets
C 203.xxx.xxx.xx7 is directly connected, Loopback1
C 203.xxx.xxx.xx6 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 36 subnets, 4 masks
R 10.20.20.0/30 [120/1] via 10.250.247.137, 00:00:03, Serial0/0/0.1
R 10.198.197.2/32 [120/1] via 10.250.247.137, 00:00:03, Serial0/0/0.1
R 10.224.8.242/32 [120/1] via 10.250.247.137, 00:00:05, Serial0/0/0.1

R 10.198.69.5/32 [120/1] via 10.250.247.137, 00:00:05, Serial0/0/0.1

So the 203.xxx.xxx.xx7 and 203.xxx.xxx.xx6 are the two loopback addresses that i dont want ro be advertised through RIP. so according to my routing table now with the passive-interface commands enabled on the two loopbacks they are not participating in RIP since they have a C not R in the routing table....

is this correct?

edit: actually i found this on the cisco site "Use of the command ‘passive interface fa 0/0’ under ‘route rip’ ensures that broadcasts are not sent out but the network is still included in the RIP database. Note that it still listens on a passive interface, which may be a security issue if somebody is trying to poison your routing table"

I dont really want these loopback interfaces in the rip database at all... maybe a distribute list command would be better in this case..
can anyone help?

r_durant

Yes, that looks correct...

You can also look on the neighbor router(s) to verify that it has not learnt the addresses....

rakem

hmm i have checked a neighbor router and it has learned of the loopback interfaces... i have cleared the routing tables so that it gets re-populated but it still shows the loopback interfaces in the routing table..

dtlokee

Because RIP uses the network address in the "network" command you cannot prevent it from including the subnet (your loopbacks) in the updates using the passive-interface command. What you need is a distribute-list

Somthing like:

access-list 10 deny 203.xxx.xxx.xx6
access-list 10 deny 203.xxx.xxx.xx7
access-list 10 permit any

router rip
distribute-list 10 out

r_durant

dtlokee...does this only occur with RIP (and possibly IGRP), since they are classful?

So what is the use of the passive-interface command under RIP? If it doesn't prevent the updates?

rakem

So by using a distribute-list would that remove the loopback addresses from neighboring routing tables?

maniac_73

I think the passive-interface is just set so that your WAN link doesn't advertise your routing table to the outside world.

dtlokee

r_durant wrote:

dtlokee...does this only occur with RIP (and possibly IGRP), since they are classful?

So what is the use of the passive-interface command under RIP? If it doesn't prevent the updates?

Passive interface will stop RIP from sending updates on an interface, but it will still advertise the interface via RIP and receive updates on the interface (aka silent host). The problem is that you have no way of excluding an interface from participating in RIP (or IGRP) if it's part of the same classful network as other interfaces you want to include in RIP. For example:

192.168.1.0/26

(E0) R1 (E1)

192.168.1.64/26

Now the problem: I want to advertise the 192.168.1.0/26 subnet but not the 192.168.1.64/26 subnet. The network command for rip will only accept a classful network 192.168.1.0 which would include both interfaces.

Netstudent

Not trying to take away from the RIP concept here, but just know that the passive-interface command will have different rules depending on the routing protocol. For example RIP will listen on a passive-interface, it just will not send out. HOwever with EIGRP, a passive-interface will niether listen nor send by default. it still includes the address of the interface in routing updates sent out of other non-passive interfaces

I can't remember where I read that but I'm pretty sure I read it somewhere.

rakem

well i have this sorted out now anyway... just blocked the updates using an access-list and the distribute-list command.

passive-interface did not do anything in this case.

dtlokee

Netstudent wrote:

Not trying to take away from the RIP concept here, but just know that the passive-interface command will have different rules depending on the routing protocol. For example RIP will listen on a passive-interface, it just will not send out. HOwever with EIGRP, a passive-interface will niether listen nor send by default. it still includes the address of the interface in routing updates sent out of other non-passive interfaces

I can't remember where I read that but I'm pretty sure I read it somewhere.

EIGRP and OSPF require a neighbor adjacency before they will send/receive updates, so if you use the passive interface command the router will not send hello's and therefore will not form an adjacency and no routing information will be passed

For RIP passive interface implements a "passive host" which is defined in the RFC for RIP. A host that will receive routes but not send them. The intention of this design was to allow hosts to receive the routing tables from the routers. This would be desirable in cases where there are hosts attached to a segment that has 2 or more routers connected to it. To acheive optimal routing between the host and 2 or more routers you would need to share the routing table, or the packets may be subject to redirection from one router to another.

r_durant

Thanks dtlokee...that was a learning curve. I knew or had an idea what passive-interface does, but I wasn't aware of the differences between the classful and classless routing protocols, and I know I've used it before and it worked, maybe it was with EIGRP