For that matter, why advertise routes on any "leaf" network that only has end nodes? In the IP world, most end nodes (workstations) don't care about routing updates. (It could be argued that it would be better if they did so you wouldn't need kludges like HSRP, but in fact, most workstation operating systems don't understand routing updates.)
Priscilla At 03:06 PM 1/2/02, Chuck Larrieu wrote: >I should also mention that in the ISP environment, this is particularly >useful and particularly necessary. According to my reading, ISP's will >habitually place all interfaces to the customer side as passive ( for the >ISP IGP ) and will then specifically activate interfaces where route and >routing protocol advertising should occur. > >All of the examples surrounding the passive-interface default command ( >available in IOS 12.0 and higher ) that I have seen on CCO specifically >reference ISP requirements. > >Essentially, why advertise internal routes and updates out every dial up and >DSL connection? Why do your average Joe customers require this? So save >their bandwidth for the things they really want - transferring megabytes of >pictures via e-mail ;-> > >Chuck > > >""Chuck Larrieu"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > All part of traffic control. Why waste bandwidth for updates that are not > > required. > > > > example: > > > > OSPF domain----router------IGRP domain > > > > the OSPF domain does not require direct knowledge of the IGRP domain, so >why > > send IGRP updates out the interface into the OSPF domain? or visa versa. > > > > also, as a matter of basic security design, suppose you have: > > > > bunch of users--------ethernet_interface-----router------routing_domain > > > > one might consider preventing routing advertisements into the user >ethernet > > domain as a precaution against users who may be running routing protocols >on > > their workstations and creating havoc as a result. > > > > I worked on a VPN/RLAN project for a major technology company a few months > > back. The company had several thousand users on this network, most of whom > > were engineers. The company had ongoing problems with these engineers > > testing equipment and services and creating situations where the >engineering > > work caused major problems on their production network. So they opted for > > static routing to the end user, and suppression of all routing > > advertisements out any of the VPN tunnels and RLAN connections. > > > > Make sense? > > > > Chuck > > > > > > ""CCIEn2002"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Thank you for the info. Now I am a little confused still on > > > the passive interface. If it prevents routing updates > > > from being sent out, why would one want a > > > passive interface. From my understanding, a > > > passive interface would not advertise is routing > > > updates to its neighbor. If that is the case, I am perplexed > > > on why I can ping a passive interface that is being advertised > > > thru a routing protocol. In my case, my neighbor router > > > is seeing an IGRP update for the Ethernet network. > > > > > > Why would you make the Ethernet passive if you can still > > > ping it and see its routing update from a neighboring router > > > via the show ip route ? > > > This is where I get confused by the definition of passive. > > > > > > Any help..I am a rookie as you can see > > > > > > David > > > > > > > > > ----- Original Message ----- > > > From: "cheekin" > > > To: ; > > > Sent: Wednesday, January 02, 2002 4:43 AM > > > Subject: Re: Passive Interface Help [7:30648] > > > > > > > > > > Hi, > > > > > > > > When you make the ethernet interface passive, it means no igrp updates > > > will > > > > be sent out on the ethernet interface. It doesn't stop the serial > > > interface > > > > from advertising network 12.0.0.0 . Which explains why you can still > > ping > > > > to the ethernet interface. If for some reason you do not want network > > > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or >use > > > > distribute-list to filter out the route. > > > > > > > > Regards, > > > > cheekin > > > > > > > > ----- Original Message ----- > > > > From: > > > > To: > > > > Sent: Wednesday, January 02, 2002 15:03 > > > > Subject: Passive Interface Help [7:30648] > > > > > > > > > > > > > Happy New Year!! > > > > > > > > > > I need a little help on what a passive > > > > > interface is. From what I can gather, a passive > > > > > interface does not advertise its route to its > > > > > neighbor ? Now if that is the case, why can > > > > > I still ping an interface that is set to passive. > > > > > Please note: This is excluding directly connected > > > > > routes. > > > > > > > > > > For example, I set my Cisco 2509 ethernet interface > > > > > to passive. Why can I still ping the ethernet address > > > > > from my neighboring router Cisco 4000 ? I am > > > > > running IGRP. Why does the ethernet network show up in its routing > > table > > > > for > > > > > my Cisco 4000. From poking around with the passive interface command > > it > > > > > seems that I can not ping my ethernet address only if I set the >Serial > > > > > interfaces to passive also. > > > > > This seems odd. I thought if I made an ethernet interface passive, I > > > > should > > > > > not be able to ping it from a neighboring router or any other router > > > since > > > > > it is not being > > > > > advertised. > > > > > > > > > > Below is a sample of me being able to ping serial 1 off > > > > > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > > > > > directly connected. Serial 1 is being advertised. > > > > > > > > > > > > > > > > > > > > > > > > > Current configuration: > > > > > ! > > > > > version 12.0 > > > > > service timestamps debug uptime > > > > > service timestamps log uptime > > > > > no service password-encryption > > > > > ! > > > > > hostname Cisco2509 > > > > > ! > > > > > enable password router > > > > > ! > > > > > ip subnet-zero > > > > > ipx routing 0010.7be8.22f4 > > > > > ! > > > > > ! > > > > > ! > > > > > ! > > > > > ! > > > > > interface Ethernet0 > > > > > ip address 12.11.12.1 255.255.255.240 > > > > > no ip directed-broadcast > > > > > delay 1000 > > > > > ! > > > > > interface Serial0 > > > > > ip address 172.16.18.1 255.255.255.240 > > > > > no ip directed-broadcast > > > > > no ip mroute-cache > > > > > ipx network 3 > > > > > no fair-queue > > > > > clockrate 1000000 > > > > > ! > > > > > interface Serial1 > > > > > ip address 172.17.18.2 255.255.255.240 > > > > > no ip directed-broadcast > > > > > clockrate 4000000 > > > > > ! > > > > > router igrp 1 > > > > > passive-interface Ethernet0 > > > > > passive-interface Serial0 > > > > > passive-interface Serial1 > > > > > offset-list 2 out 11000 Serial0 > > > > > network 12.0.0.0 > > > > > network 172.16.0.0 > > > > > network 172.17.0.0 > > > > > ! > > > > > ip classless > > > > > ! > > > > > access-list 2 deny 12.11.12.1 > > > > > ! > > > > > ! > > > > > ! > > > > > ! > > > > > ! > > > > > line con 0 > > > > > transport input none > > > > > line 1 8 > > > > > line aux 0 > > > > > line vty 0 4 > > > > > password cisco > > > > > login > > > > > ! > > > > > end > > > > > > > > > > Cisco2509# > > > > > > > > > > > > > > > > > > > > Cisco_4000>ping 172.17.18.1 > > > > > > > > > > Type escape sequence to abort. > > > > > Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds: > > > > > !!!!! > > > > > Success rate is 100 percent (5/5), round-trip min/avg/max = > > 120/120/124 > > > ms > > > > > Cisco_4000>ping 12.11.12.1 > > > > > > > > > > Type escape sequence to abort. > > > > > Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds: > > > > > ..... > > > > > Success rate is 0 percent (0/5) > > > > > Cisco_4000> ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30707&t=30648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
