Uring Passive Interfaces

A common way of controlling routing information is to make an interface passive. A passive interface is a silenced interface: an interface on which you deliberately suppress the advertising of routing updates. You might want to do this in certain situations. For example, for security reasons you might have to block routing updates sent to a particular department or company because the updates reveal the topology of your network. In another case, when redistributing from one routing protocol to another, passive interfaces localize updates for efficiency and stability (see "Managing Redistribution," later in this chapter). Also, in dial-on-demand routing setups, passive interfaces prevent routing updates from triggering dial-up lines that are billed per minute—this controls operational costs.

A simple use of a passive interface is for silencing chatty protocols such as RIP on networks that do not require routing updates. Figure 3-1 illustrates such a scenario.

Figure 3-1 Using a Passive Interface to Block Routing Information

Passive

Figure 3-1 Using a Passive Interface to Block Routing Information

Passive

172.16.10.0/24 172.16.11.0/24 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24

172.16.10.0/24 172.16.11.0/24 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24

As depicted in Figure 3-1, Router A is using RIP to learn and advertise the subnets in major net 172.16.0.0. However, Router A is the only RIP device on the Ethernet LAN 172.16.1.0 (assume the clients are not RIP-enabled). Therefore, it is unnecessary and wasteful for Router A to send RIP updates out its EthernetO interface—no other routers are on the LAN and none of the clients care to receive any RIP information. By configuring EthernetO as passive, you can prevent all RIP advertisements from being sent out the interface and to the clients. The 10S command that does this is passive-interface, a router configuration mode command. The following is Router A's RIP configuration with the enhancement:

router rip network 172.16.0.0 passive-interface EthernetO

Router A is running RIP—it just isn't sending any RIP packets out EthernetO. In fact, Router A still listens to RIP on the passive interface and would not block any RIP updates arriving on it. To prevent the router from listening to RIP, you must use route filters (see the following section, "Filtering Routing Updates").

To verify that the passivc-interface command is working, you can look at the debugging messages for the routing protocol. Here's an output of debug ip rip for the scenario in Figure 3-1:

RTA#debug ip rip

RIP protocol debugging is on

RIP: sending v1 update to 255.255.255.255 via Serial« (172.16.100.1)

subnet 172.16.1.0, metric 1

subnet 172.16.2.0, metric 2

subnet 172.16.101.0, metric 1

RIP: sending v1 update to 255.255.255.255 via Seriall (172.16.101.1)

subnet 172.16.1.0, metric 1

subnet 172.16.10.0, metric 3

subnet 172.16.11.0, metric 3

subnet 172.16.12.0, metric 4

subnet 172.16.13.0, metric 4

subnet 172.16.14.0, metric 4

subnet 172.16.100.0, metric 1

The preceding output is one of Router A's periodic waves of RIP updates. The output confirms that Router A is sending updates from SerialO and Serial l, but not from lithernetO. EthernetO is noticeably absent from the debug output.

Was this article helpful?

0 0

Post a comment