passive-interface [intf]
Configures an OSPF interface as passive, preventing OSPF hello packets from being sent and received on that interface while still advertising its connected subnet.
Overview
The 'passive-interface' command in OSPF configuration mode is used to control the behavior of OSPF on a per-interface basis. When an interface is set as passive, OSPF does not send or receive Hello packets on that interface, which prevents the formation of neighbor adjacencies. However, the network prefix of that interface is still advertised in OSPF Link State Advertisements (LSAs) as a stub network. This command is essential for optimizing OSPF operation in networks where certain interfaces do not require neighbor relationships, such as loopback interfaces, interfaces connected to stub networks, or interfaces where only the subnet needs to be advertised. On the Cisco ASA Firewall, OSPF configuration follows similar principles to Cisco IOS, but with platform-specific considerations such as the use of security contexts and interface naming. The command is typically used in troubleshooting workflows to isolate OSPF issues by selectively disabling neighbor discovery on problematic interfaces. It also helps reduce unnecessary protocol overhead on broadcast multi-access networks where only a subset of routers should form adjacencies.
passive-interface [default | interface-type interface-number]When to Use This Command
- Prevent OSPF adjacency formation on a loopback interface that should only be advertised.
- Secure a DMZ interface where no OSPF neighbors exist, reducing unnecessary protocol traffic.
- Simplify OSPF configuration on a stub network where only one router is present.
- Control OSPF neighbor relationships on a multi-access interface to avoid unwanted adjacencies.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| default | default | Sets all interfaces to passive by default. Use 'no passive-interface' on specific interfaces to enable OSPF adjacencies. |
| interface-type interface-number | interface-type interface-number | Specifies the interface to be made passive. For example, 'gigabitethernet 0/1' or 'management 0/0'. |
Command Examples
Make a single interface passive
ciscoasa(config-router)# passive-interface gigabitethernet 0/1No output is returned upon successful configuration. The interface GigabitEthernet0/1 will no longer send or receive OSPF hello packets, but its subnet will still be advertised in OSPF updates.
Make all interfaces passive by default, then enable OSPF on one
ciscoasa(config-router)# passive-interface default
ciscoasa(config-router)# no passive-interface gigabitethernet 0/2The first command sets all interfaces to passive. The second command overrides that for GigabitEthernet0/2, allowing OSPF adjacencies to form on that interface only.
Understanding the Output
The passive-interface command does not produce direct output. To verify its effect, use 'show running-config router ospf' to see the passive-interface statements. Alternatively, use 'show ip ospf interface [intf]' to check the interface state; a passive interface will show 'No Hellos' in the output. Healthy operation means the interface is listed as passive and no OSPF neighbors are expected. A problem would be if an interface that should be passive is forming adjacencies, which could be due to missing the passive-interface command or an incorrect no passive-interface override.
Configuration Scenarios
Making a Loopback Interface Passive
A loopback interface is used for router ID and should be advertised but not form adjacencies.
Topology
N/ASteps
- 1.Enter OSPF configuration mode: router ospf 1
- 2.Apply passive-interface to loopback: passive-interface loopback 0
! OSPF configuration router ospf 1 network 10.0.0.0 0.255.255.255 area 0 passive-interface loopback 0
Verify: Use 'show ip ospf interface loopback 0' and look for 'No Hellos' in the output.
Watch out: If the loopback is not explicitly made passive, OSPF will attempt to form adjacencies on it, which is unnecessary and wastes resources.
Using passive-interface default on a Multi-Access Network
A DMZ network with multiple switches but only one ASA; no OSPF neighbors should form on DMZ interfaces.
Topology
ASA (G0/1) --- DMZ Switch --- Servers
ASA (G0/2) --- Internal Router (OSPF neighbor)Steps
- 1.Enter OSPF configuration: router ospf 1
- 2.Set all interfaces passive: passive-interface default
- 3.Enable OSPF on the internal interface: no passive-interface gigabitethernet 0/2
! OSPF configuration router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0 passive-interface default no passive-interface gigabitethernet 0/2
Verify: Check 'show ip ospf neighbor' to confirm adjacency only on G0/2. Use 'show ip ospf interface' to verify passive status on G0/1.
Watch out: Ensure that the internal interface is correctly identified; otherwise, OSPF adjacency may fail.
Troubleshooting with This Command
When troubleshooting OSPF neighbor issues on the Cisco ASA, the 'passive-interface' command is a common culprit. If a neighbor fails to form, verify whether the interface is accidentally set as passive. Use 'show running-config router ospf' to list all passive-interface statements. Additionally, 'show ip ospf interface [intf]' displays the interface state; look for 'No Hellos' indicating passive mode. If an interface is passive but should not be, remove the passive-interface command or add a 'no passive-interface' override. Conversely, if an interface is forming unwanted adjacencies, ensure it is set to passive. On the ASA, OSPF debug commands like 'debug ip ospf hello' can help confirm whether Hellos are being sent. Remember that passive-interface does not affect route advertisement; the subnet is still included in LSAs. If a route is missing, check network statements and area configuration. Also, on the ASA, OSPF supports multiple processes; ensure the correct process is configured. In multi-context mode, OSPF is configured per context. Finally, verify that the interface is not in a down state; OSPF will not operate on a down interface regardless of passive setting.
CCNA Exam Tips
Remember that passive-interface suppresses hello packets but still advertises the subnet; this is a common exam topic.
On the ASA, OSPF configuration is similar to IOS but always verify with 'show running-config router ospf'.
The 'passive-interface default' command is efficient for securing many interfaces; know how to selectively enable OSPF on specific ones.
Common Mistakes
Applying passive-interface to an interface where OSPF adjacency is needed, causing neighbor loss.
Forgetting that passive-interface does not stop route advertisement; the subnet is still included in LSAs.
Using 'passive-interface default' without then enabling OSPF on the desired interface, resulting in no adjacencies.
Platform Notes
On the Cisco ASA Firewall, OSPF configuration is largely similar to Cisco IOS, but there are key differences. The ASA uses interface naming like 'gigabitethernet 0/1' instead of 'GigabitEthernet0/1'. The 'passive-interface' command works identically. However, the ASA supports OSPFv2 only (IPv4) in most versions; OSPFv3 for IPv6 is not supported on many ASA models. Additionally, the ASA can run OSPF in multiple security contexts, each with its own routing table and OSPF process. In transparent firewall mode, OSPF is not supported. The equivalent command on other platforms: on IOS routers, the same command is used; on Nexus switches, the command is 'passive-interface [default | interface]' under 'router ospf'. On Juniper Junos, the equivalent is 'passive' under 'protocols ospf area interface'. On the ASA, there is no 'ip ospf passive-interface' interface-level command; all passive configuration is done at the OSPF process level. Version differences: ASA 8.4(2) and later support OSPF with the same syntax. Always verify with 'show version' and documentation.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions