Re: Passive Interface Help [7:30648]
Thank you for all your input. This has helped me a great deal. David - Original Message - From: "Louie Belt" To: "CCIEn2002" Sent: Wednesday, January 02, 2002 2:53 PM Subject: RE: Passive Interface Help [7:30648] > A passive interface prevents a routing protocol from advertising its routes > via that interface. If you had a loopback interface is there any need to > advertise routes out of it? No one would hear them - so why waste processor > cycles sending a routing update to an interface that has nothing else > connected. > > However, that same passive interface has it's IP address (or network) > advertised to all other interfaces - therefore it is pingable. > > Other uses for passive interfaces would be when redistributing routing > protocols (especially between FLSM and VLSM routing protocols), or even to > limit an advertisement to a unicast (single destination instead of a > broadcast) - for instance an interface advertising RIP (v1) uses a broadcast > to make that advertisement out of each interface that is using RIP. By > setting an interface to passive and using a neighbor statement in the > routing protocol you can force RIP to only advertise its routes to a single > unicast address instead of broadcasting it to every device on the IP > network. > > > Hope this helps. > > Louie A Belt > CCIE #7054 > Pomeroy Select Integration Systems > [EMAIL PROTECTED] > > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > CCIEn2002 > Sent: Wednesday, January 02, 2002 1:01 PM > To: [EMAIL PROTECTED] > Subject: Re: Passive Interface Help [7:30648] > > > Thank you for the info. Now I am a little confused still on > the passive interface. If it prevents routing updates > from being sent out, why would one want a > passive interface. From my understanding, a > passive interface would not advertise is routing > updates to its neighbor. If that is the case, I am perplexed > on why I can ping a passive interface that is being advertised > thru a routing protocol. In my case, my neighbor router > is seeing an IGRP update for the Ethernet network. > > Why would you make the Ethernet passive if you can still > ping it and see its routing update from a neighboring router > via the show ip route ? > This is where I get confused by the definition of passive. > > Any help..I am a rookie as you can see > > David > > > - Original Message - > From: "cheekin" > To: ; > Sent: Wednesday, January 02, 2002 4:43 AM > Subject: Re: Passive Interface Help [7:30648] > > > > Hi, > > > > When you make the ethernet interface passive, it means no igrp updates > will > > be sent out on the ethernet interface. It doesn't stop the serial > interface > > from advertising network 12.0.0.0 . Which explains why you can still ping > > to the ethernet interface. If for some reason you do not want network > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use > > distribute-list to filter out the route. > > > > Regards, > > cheekin > > > > - Original Message - > > From: > > To: > > Sent: Wednesday, January 02, 2002 15:03 > > Subject: Passive Interface Help [7:30648] > > > > > > > Happy New Year!! > > > > > > I need a little help on what a passive > > > interface is. From what I can gather, a passive > > > interface does not advertise its route to its > > > neighbor ? Now if that is the case, why can > > > I still ping an interface that is set to passive. > > > Please note: This is excluding directly connected > > > routes. > > > > > > For example, I set my Cisco 2509 ethernet interface > > > to passive. Why can I still ping the ethernet address > > > from my neighboring router Cisco 4000 ? I am > > > running IGRP. Why does the ethernet network show up in its routing table > > for > > > my Cisco 4000. From poking around with the passive interface command it > > > seems that I can not ping my ethernet address only if I set the Serial > > > interfaces to passive also. > > > This seems odd. I thought if I made an ethernet interface passive, I > > should > > > not be able to ping it from a neighboring router or any other router > since > > > it is not being > > > advertised. > > > > > > Below is a sample of me being able to ping serial 1 off > > > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > > > directly connected. Serial 1 is being advertised. >
Re: Passive Interface Help [7:30648]
Dave, If you want job security, become a tenured professor. Low pay but lots of security! :) Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco Regional Networking Academy MADMAN wrote: Kludge!!! I'd rather refer to these "features" as job security :-) Dave Priscilla Oppenheimer wrote: > > For that matter, why advertise routes on any "leaf" network that only has > end nodes? In the IP world, most end nodes (workstations) don't care about > routing updates. (It could be argued that it would be better if they did so > you wouldn't need kludges like HSRP, but in fact, most workstation > operating systems don't understand routing updates.) > > Priscilla David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30750&t=30648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passive Interface Help [7:30648]
Kludge!!! I'd rather refer to these "features" as job security :-) Dave Priscilla Oppenheimer wrote: > > For that matter, why advertise routes on any "leaf" network that only has > end nodes? In the IP world, most end nodes (workstations) don't care about > routing updates. (It could be argued that it would be better if they did so > you wouldn't need kludges like HSRP, but in fact, most workstation > operating systems don't understand routing updates.) > > Priscilla David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30716&t=30648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passive Interface Help [7:30648]
For that matter, why advertise routes on any "leaf" network that only has end nodes? In the IP world, most end nodes (workstations) don't care about routing updates. (It could be argued that it would be better if they did so you wouldn't need kludges like HSRP, but in fact, most workstation operating systems don't understand routing updates.) Priscilla At 03:06 PM 1/2/02, Chuck Larrieu wrote: >I should also mention that in the ISP environment, this is particularly >useful and particularly necessary. According to my reading, ISP's will >habitually place all interfaces to the customer side as passive ( for the >ISP IGP ) and will then specifically activate interfaces where route and >routing protocol advertising should occur. > >All of the examples surrounding the passive-interface default command ( >available in IOS 12.0 and higher ) that I have seen on CCO specifically >reference ISP requirements. > >Essentially, why advertise internal routes and updates out every dial up and >DSL connection? Why do your average Joe customers require this? So save >their bandwidth for the things they really want - transferring megabytes of >pictures via e-mail ;-> > >Chuck > > >""Chuck Larrieu"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > All part of traffic control. Why waste bandwidth for updates that are not > > required. > > > > example: > > > > OSPF domainrouter--IGRP domain > > > > the OSPF domain does not require direct knowledge of the IGRP domain, so >why > > send IGRP updates out the interface into the OSPF domain? or visa versa. > > > > also, as a matter of basic security design, suppose you have: > > > > bunch of usersethernet_interface-router--routing_domain > > > > one might consider preventing routing advertisements into the user >ethernet > > domain as a precaution against users who may be running routing protocols >on > > their workstations and creating havoc as a result. > > > > I worked on a VPN/RLAN project for a major technology company a few months > > back. The company had several thousand users on this network, most of whom > > were engineers. The company had ongoing problems with these engineers > > testing equipment and services and creating situations where the >engineering > > work caused major problems on their production network. So they opted for > > static routing to the end user, and suppression of all routing > > advertisements out any of the VPN tunnels and RLAN connections. > > > > Make sense? > > > > Chuck > > > > > > ""CCIEn2002"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Thank you for the info. Now I am a little confused still on > > > the passive interface. If it prevents routing updates > > > from being sent out, why would one want a > > > passive interface. From my understanding, a > > > passive interface would not advertise is routing > > > updates to its neighbor. If that is the case, I am perplexed > > > on why I can ping a passive interface that is being advertised > > > thru a routing protocol. In my case, my neighbor router > > > is seeing an IGRP update for the Ethernet network. > > > > > > Why would you make the Ethernet passive if you can still > > > ping it and see its routing update from a neighboring router > > > via the show ip route ? > > > This is where I get confused by the definition of passive. > > > > > > Any help..I am a rookie as you can see > > > > > > David > > > > > > > > > - Original Message - > > > From: "cheekin" > > > To: ; > > > Sent: Wednesday, January 02, 2002 4:43 AM > > > Subject: Re: Passive Interface Help [7:30648] > > > > > > > > > > Hi, > > > > > > > > When you make the ethernet interface passive, it means no igrp updates > > > will > > > > be sent out on the ethernet interface. It doesn't stop the serial > > > interface > > > > from advertising network 12.0.0.0 . Which explains why you can still > > ping > > > > to the ethernet interface. If for some reason you do not want network > > > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or >use > > > > distribute-list to filter out the route. > > > > > > > > Regards, > > > > cheekin > > > > > > > &g
Re: Passive Interface Help [7:30648]
I should also mention that in the ISP environment, this is particularly useful and particularly necessary. According to my reading, ISP's will habitually place all interfaces to the customer side as passive ( for the ISP IGP ) and will then specifically activate interfaces where route and routing protocol advertising should occur. All of the examples surrounding the passive-interface default command ( available in IOS 12.0 and higher ) that I have seen on CCO specifically reference ISP requirements. Essentially, why advertise internal routes and updates out every dial up and DSL connection? Why do your average Joe customers require this? So save their bandwidth for the things they really want - transferring megabytes of pictures via e-mail ;-> Chuck ""Chuck Larrieu"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > All part of traffic control. Why waste bandwidth for updates that are not > required. > > example: > > OSPF domainrouter--IGRP domain > > the OSPF domain does not require direct knowledge of the IGRP domain, so why > send IGRP updates out the interface into the OSPF domain? or visa versa. > > also, as a matter of basic security design, suppose you have: > > bunch of usersethernet_interface-router--routing_domain > > one might consider preventing routing advertisements into the user ethernet > domain as a precaution against users who may be running routing protocols on > their workstations and creating havoc as a result. > > I worked on a VPN/RLAN project for a major technology company a few months > back. The company had several thousand users on this network, most of whom > were engineers. The company had ongoing problems with these engineers > testing equipment and services and creating situations where the engineering > work caused major problems on their production network. So they opted for > static routing to the end user, and suppression of all routing > advertisements out any of the VPN tunnels and RLAN connections. > > Make sense? > > Chuck > > > ""CCIEn2002"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Thank you for the info. Now I am a little confused still on > > the passive interface. If it prevents routing updates > > from being sent out, why would one want a > > passive interface. From my understanding, a > > passive interface would not advertise is routing > > updates to its neighbor. If that is the case, I am perplexed > > on why I can ping a passive interface that is being advertised > > thru a routing protocol. In my case, my neighbor router > > is seeing an IGRP update for the Ethernet network. > > > > Why would you make the Ethernet passive if you can still > > ping it and see its routing update from a neighboring router > > via the show ip route ? > > This is where I get confused by the definition of passive. > > > > Any help..I am a rookie as you can see > > > > David > > > > > > - Original Message - > > From: "cheekin" > > To: ; > > Sent: Wednesday, January 02, 2002 4:43 AM > > Subject: Re: Passive Interface Help [7:30648] > > > > > > > Hi, > > > > > > When you make the ethernet interface passive, it means no igrp updates > > will > > > be sent out on the ethernet interface. It doesn't stop the serial > > interface > > > from advertising network 12.0.0.0 . Which explains why you can still > ping > > > to the ethernet interface. If for some reason you do not want network > > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use > > > distribute-list to filter out the route. > > > > > > Regards, > > > cheekin > > > > > > - Original Message - > > > From: > > > To: > > > Sent: Wednesday, January 02, 2002 15:03 > > > Subject: Passive Interface Help [7:30648] > > > > > > > > > > Happy New Year!! > > > > > > > > I need a little help on what a passive > > > > interface is. From what I can gather, a passive > > > > interface does not advertise its route to its > > > > neighbor ? Now if that is the case, why can > > > > I still ping an interface that is set to passive. > > > > Please note: This is excluding directly connected > > > > routes. > > > > > > > > For example, I set my Cisco 2509 ethernet interface > > > > to passive. Why can I still ping the ethernet address > > > > from my neighboring ro
Re: Passive Interface Help [7:30648]
Are these routers directly connected? If so, that explains why you would still be able to ping. Did you try to use loopback interfaces and see if those routes are being announced? ms --- CCIEn2002 wrote: > Thank you for the info. Now I am a little confused > still on > the passive interface. If it prevents routing > updates > from being sent out, why would one want a > passive interface. From my understanding, a > passive interface would not advertise is routing > updates to its neighbor. If that is the case, I am > perplexed > on why I can ping a passive interface that is being > advertised > thru a routing protocol. In my case, my neighbor > router > is seeing an IGRP update for the Ethernet network. > > Why would you make the Ethernet passive if you can > still > ping it and see its routing update from a > neighboring router > via the show ip route ? > This is where I get confused by the definition of > passive. > > Any help..I am a rookie as you can see > > David > > > - Original Message ----- > From: "cheekin" > To: ; > Sent: Wednesday, January 02, 2002 4:43 AM > Subject: Re: Passive Interface Help [7:30648] > > > > Hi, > > > > When you make the ethernet interface passive, it > means no igrp updates > will > > be sent out on the ethernet interface. It doesn't > stop the serial > interface > > from advertising network 12.0.0.0 . Which > explains why you can still ping > > to the ethernet interface. If for some reason you > do not want network > > 12.0.0.0 to be advertised, remove the network > 12.0.0.0 statement or use > > distribute-list to filter out the route. > > > > Regards, > > cheekin > > > > - Original Message - > > From: > > To: > > Sent: Wednesday, January 02, 2002 15:03 > > Subject: Passive Interface Help [7:30648] > > > > > > > Happy New Year!! > > > > > > I need a little help on what a passive > > > interface is. From what I can gather, a passive > > > interface does not advertise its route to its > > > neighbor ? Now if that is the case, why can > > > I still ping an interface that is set to > passive. > > > Please note: This is excluding directly > connected > > > routes. > > > > > > For example, I set my Cisco 2509 ethernet > interface > > > to passive. Why can I still ping the ethernet > address > > > from my neighboring router Cisco 4000 ? I am > > > running IGRP. Why does the ethernet network show > up in its routing table > > for > > > my Cisco 4000. From poking around with the > passive interface command it > > > seems that I can not ping my ethernet address > only if I set the Serial > > > interfaces to passive also. > > > This seems odd. I thought if I made an ethernet > interface passive, I > > should > > > not be able to ping it from a neighboring router > or any other router > since > > > it is not being > > > advertised. > > > > > > Below is a sample of me being able to ping > serial 1 off > > > my Cisco 2509 from my Cisco 4000. Serial 1 is > "not" > > > directly connected. Serial 1 is being > advertised. > > > > > > > > > > > > > > > Current configuration: > > > ! > > > version 12.0 > > > service timestamps debug uptime > > > service timestamps log uptime > > > no service password-encryption > > > ! > > > hostname Cisco2509 > > > ! > > > enable password router > > > ! > > > ip subnet-zero > > > ipx routing 0010.7be8.22f4 > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Ethernet0 > > > ip address 12.11.12.1 255.255.255.240 > > > no ip directed-broadcast > > > delay 1000 > > > ! > > > interface Serial0 > > > ip address 172.16.18.1 255.255.255.240 > > > no ip directed-broadcast > > > no ip mroute-cache > > > ipx network 3 > > > no fair-queue > > > clockrate 100 > > > ! > > > interface Serial1 > > > ip address 172.17.18.2 255.255.255.240 > > > no ip directed-broadcast > > > clockrate 400 > > > ! > > > router igrp 1 > > > passive-interface Ethernet0 > > > passive-interface Serial0 > > > passive-interface Serial1 > > > offset-list 2 out 11000 Serial0 > > > network 12.0.0.0 &g
Re: Re: Passive Interface Help [7:30648]
As I mentioned in my first reply, the passive-interface command operates a little differently depending on the protocol you're using. For protocols that need to establish neighbors--such as EIGRP, OSPF, and IS-IS--this command stops those relationships from forming so no routes will ever be exchanged. In RIP and IGRP, no neighbor relationship is formed. The passive-interface command simply stops the router from sending updates out that interface but it will *not* stop updates from coming in on that interface. This can be a handy feature if you only want to receive routes but not send them. If you are receiving IGRP routes that you don't want to receive, then you need to make sure that you apply this command to both sides of the connection. HTH, John Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Wed, 2 Jan 2002, CCIEn2002 ([EMAIL PROTECTED]) wrote: > Thank you for the info. Now I am a little confused still on > the passive interface. If it prevents routing updates > from being sent out, why would one want a > passive interface. From my understanding, a > passive interface would not advertise is routing > updates to its neighbor. If that is the case, I am perplexed > on why I can ping a passive interface that is being advertised > thru a routing protocol. In my case, my neighbor router > is seeing an IGRP update for the Ethernet network. > > Why would you make the Ethernet passive if you can still > ping it and see its routing update from a neighboring router > via the show ip route ? > This is where I get confused by the definition of passive. > > Any help..I am a rookie as you can see > > David > > > - Original Message - > From: "cheekin" > To: ; > Sent: Wednesday, January 02, 2002 4:43 AM > Subject: Re: Passive Interface Help [7:30648] > > > > Hi, > > > > When you make the ethernet interface passive, it means no igrp updates > will > > be sent out on the ethernet interface. It doesn't stop the serial > interface > > from advertising network 12.0.0.0 . Which explains why you can still > ping > > to the ethernet interface. If for some reason you do not want network > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or > use > > distribute-list to filter out the route. > > > > Regards, > > cheekin > > > > - Original Message - > > From: > > To: > > Sent: Wednesday, January 02, 2002 15:03 > > Subject: Passive Interface Help [7:30648] > > > > > > > Happy New Year!! > > > > > > I need a little help on what a passive > > > interface is. From what I can gather, a passive > > > interface does not advertise its route to its > > > neighbor ? Now if that is the case, why can > > > I still ping an interface that is set to passive. > > > Please note: This is excluding directly connected > > > routes. > > > > > > For example, I set my Cisco 2509 ethernet interface > > > to passive. Why can I still ping the ethernet address > > > from my neighboring router Cisco 4000 ? I am > > > running IGRP. Why does the ethernet network show up in its routing > table > > for > > > my Cisco 4000. From poking around with the passive interface command > it > > > seems that I can not ping my ethernet address only if I set the > Serial > > > interfaces to passive also. > > > This seems odd. I thought if I made an ethernet interface passive, I > > should > > > not be able to ping it from a neighboring router or any other router > since > > > it is not being > > > advertised. > > > > > > Below is a sample of me being able to ping serial 1 off > > > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > > > directly connected. Serial 1 is being advertised. > > > > > > > > > > > > > > > Current configuration: > > > ! > > > version 12.0 > > > service timestamps debug uptime > > > service timestamps log uptime > > > no service password-encryption > > > ! > > > hostname Cisco2509 > > > ! > > > enable password router > > > ! > > > ip subnet-zero > > > ipx routing 0010.7be8.22f4 > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Ethernet0 > > > ip address 12.11.12.1 255.255.255.240 > > > no ip directed-broadcast > > > delay 1000 >
Re: Passive Interface Help [7:30648]
All part of traffic control. Why waste bandwidth for updates that are not required. example: OSPF domainrouter--IGRP domain the OSPF domain does not require direct knowledge of the IGRP domain, so why send IGRP updates out the interface into the OSPF domain? or visa versa. also, as a matter of basic security design, suppose you have: bunch of usersethernet_interface-router--routing_domain one might consider preventing routing advertisements into the user ethernet domain as a precaution against users who may be running routing protocols on their workstations and creating havoc as a result. I worked on a VPN/RLAN project for a major technology company a few months back. The company had several thousand users on this network, most of whom were engineers. The company had ongoing problems with these engineers testing equipment and services and creating situations where the engineering work caused major problems on their production network. So they opted for static routing to the end user, and suppression of all routing advertisements out any of the VPN tunnels and RLAN connections. Make sense? Chuck ""CCIEn2002"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thank you for the info. Now I am a little confused still on > the passive interface. If it prevents routing updates > from being sent out, why would one want a > passive interface. From my understanding, a > passive interface would not advertise is routing > updates to its neighbor. If that is the case, I am perplexed > on why I can ping a passive interface that is being advertised > thru a routing protocol. In my case, my neighbor router > is seeing an IGRP update for the Ethernet network. > > Why would you make the Ethernet passive if you can still > ping it and see its routing update from a neighboring router > via the show ip route ? > This is where I get confused by the definition of passive. > > Any help..I am a rookie as you can see > > David > > > - Original Message - > From: "cheekin" > To: ; > Sent: Wednesday, January 02, 2002 4:43 AM > Subject: Re: Passive Interface Help [7:30648] > > > > Hi, > > > > When you make the ethernet interface passive, it means no igrp updates > will > > be sent out on the ethernet interface. It doesn't stop the serial > interface > > from advertising network 12.0.0.0 . Which explains why you can still ping > > to the ethernet interface. If for some reason you do not want network > > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use > > distribute-list to filter out the route. > > > > Regards, > > cheekin > > > > - Original Message - > > From: > > To: > > Sent: Wednesday, January 02, 2002 15:03 > > Subject: Passive Interface Help [7:30648] > > > > > > > Happy New Year!! > > > > > > I need a little help on what a passive > > > interface is. From what I can gather, a passive > > > interface does not advertise its route to its > > > neighbor ? Now if that is the case, why can > > > I still ping an interface that is set to passive. > > > Please note: This is excluding directly connected > > > routes. > > > > > > For example, I set my Cisco 2509 ethernet interface > > > to passive. Why can I still ping the ethernet address > > > from my neighboring router Cisco 4000 ? I am > > > running IGRP. Why does the ethernet network show up in its routing table > > for > > > my Cisco 4000. From poking around with the passive interface command it > > > seems that I can not ping my ethernet address only if I set the Serial > > > interfaces to passive also. > > > This seems odd. I thought if I made an ethernet interface passive, I > > should > > > not be able to ping it from a neighboring router or any other router > since > > > it is not being > > > advertised. > > > > > > Below is a sample of me being able to ping serial 1 off > > > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > > > directly connected. Serial 1 is being advertised. > > > > > > > > > > > > > > > Current configuration: > > > ! > > > version 12.0 > > > service timestamps debug uptime > > > service timestamps log uptime > > > no service password-encryption > > > ! > > > hostname Cisco2509 > > > ! > > > enable password router > > > ! > > > ip subnet-zero > > > ipx routing 0010.7be8.22f4 > > > ! > > > ! > > >
Re: Passive Interface Help [7:30648]
Thank you for the info. Now I am a little confused still on the passive interface. If it prevents routing updates from being sent out, why would one want a passive interface. From my understanding, a passive interface would not advertise is routing updates to its neighbor. If that is the case, I am perplexed on why I can ping a passive interface that is being advertised thru a routing protocol. In my case, my neighbor router is seeing an IGRP update for the Ethernet network. Why would you make the Ethernet passive if you can still ping it and see its routing update from a neighboring router via the show ip route ? This is where I get confused by the definition of passive. Any help..I am a rookie as you can see David - Original Message - From: "cheekin" To: ; Sent: Wednesday, January 02, 2002 4:43 AM Subject: Re: Passive Interface Help [7:30648] > Hi, > > When you make the ethernet interface passive, it means no igrp updates will > be sent out on the ethernet interface. It doesn't stop the serial interface > from advertising network 12.0.0.0 . Which explains why you can still ping > to the ethernet interface. If for some reason you do not want network > 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use > distribute-list to filter out the route. > > Regards, > cheekin > > - Original Message - > From: > To: > Sent: Wednesday, January 02, 2002 15:03 > Subject: Passive Interface Help [7:30648] > > > > Happy New Year!! > > > > I need a little help on what a passive > > interface is. From what I can gather, a passive > > interface does not advertise its route to its > > neighbor ? Now if that is the case, why can > > I still ping an interface that is set to passive. > > Please note: This is excluding directly connected > > routes. > > > > For example, I set my Cisco 2509 ethernet interface > > to passive. Why can I still ping the ethernet address > > from my neighboring router Cisco 4000 ? I am > > running IGRP. Why does the ethernet network show up in its routing table > for > > my Cisco 4000. From poking around with the passive interface command it > > seems that I can not ping my ethernet address only if I set the Serial > > interfaces to passive also. > > This seems odd. I thought if I made an ethernet interface passive, I > should > > not be able to ping it from a neighboring router or any other router since > > it is not being > > advertised. > > > > Below is a sample of me being able to ping serial 1 off > > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > > directly connected. Serial 1 is being advertised. > > > > > > > > > > Current configuration: > > ! > > version 12.0 > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname Cisco2509 > > ! > > enable password router > > ! > > ip subnet-zero > > ipx routing 0010.7be8.22f4 > > ! > > ! > > ! > > ! > > ! > > interface Ethernet0 > > ip address 12.11.12.1 255.255.255.240 > > no ip directed-broadcast > > delay 1000 > > ! > > interface Serial0 > > ip address 172.16.18.1 255.255.255.240 > > no ip directed-broadcast > > no ip mroute-cache > > ipx network 3 > > no fair-queue > > clockrate 100 > > ! > > interface Serial1 > > ip address 172.17.18.2 255.255.255.240 > > no ip directed-broadcast > > clockrate 400 > > ! > > router igrp 1 > > passive-interface Ethernet0 > > passive-interface Serial0 > > passive-interface Serial1 > > offset-list 2 out 11000 Serial0 > > network 12.0.0.0 > > network 172.16.0.0 > > network 172.17.0.0 > > ! > > ip classless > > ! > > access-list 2 deny 12.11.12.1 > > ! > > ! > > ! > > ! > > ! > > line con 0 > > transport input none > > line 1 8 > > line aux 0 > > line vty 0 4 > > password cisco > > login > > ! > > end > > > > Cisco2509# > > > > > > > > Cisco_4000>ping 172.17.18.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds: > > ! > > Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124 ms > > Cisco_4000>ping 12.11.12.1 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds: > > . > > Success rate is 0 percent (0/5) > > Cisco_4000> Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30695&t=30648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passive Interface Help [7:30648]
The passive-interface command stops routing updates from exiting that interface or--in the case of EIGRP, OSPF, and IS-IS--it stop hello packets from exiting which keeps neighbor relationships from forming. This command won't keep a connected network from showing up in your routing table. If you are connected to another router via ethernet, the ethernet network is directly connected and does not need to be advertised by a routing protocol to show up in your routing table. To test this, add a loopback address on the remote router that is in the same major network as the ethernet address. You shouldn't be able to ping that because your local router should not be aware of it. HTH, John >>> "[EMAIL PROTECTED]" 1/2/02 12:03:49 AM >>> Happy New Year!! I need a little help on what a passive interface is. From what I can gather, a passive interface does not advertise its route to its neighbor ? Now if that is the case, why can I still ping an interface that is set to passive. Please note: This is excluding directly connected routes. For example, I set my Cisco 2509 ethernet interface to passive. Why can I still ping the ethernet address from my neighboring router Cisco 4000 ? I am running IGRP. Why does the ethernet network show up in its routing table for my Cisco 4000. From poking around with the passive interface command it seems that I can not ping my ethernet address only if I set the Serial interfaces to passive also. This seems odd. I thought if I made an ethernet interface passive, I should not be able to ping it from a neighboring router or any other router since it is not being advertised. Below is a sample of me being able to ping serial 1 off my Cisco 2509 from my Cisco 4000. Serial 1 is "not" directly connected. Serial 1 is being advertised. Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Cisco2509 ! enable password router ! ip subnet-zero ipx routing 0010.7be8.22f4 ! ! ! ! ! interface Ethernet0 ip address 12.11.12.1 255.255.255.240 no ip directed-broadcast delay 1000 ! interface Serial0 ip address 172.16.18.1 255.255.255.240 no ip directed-broadcast no ip mroute-cache ipx network 3 no fair-queue clockrate 100 ! interface Serial1 ip address 172.17.18.2 255.255.255.240 no ip directed-broadcast clockrate 400 ! router igrp 1 passive-interface Ethernet0 passive-interface Serial0 passive-interface Serial1 offset-list 2 out 11000 Serial0 network 12.0.0.0 network 172.16.0.0 network 172.17.0.0 ! ip classless ! access-list 2 deny 12.11.12.1 ! ! ! ! ! line con 0 transport input none line 1 8 line aux 0 line vty 0 4 password cisco login ! end Cisco2509# Cisco_4000>ping 172.17.18.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124 ms Cisco_4000>ping 12.11.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds: . Success rate is 0 percent (0/5) Cisco_4000> Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30676&t=30648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passive Interface Help [7:30648]
Hi, When you make the ethernet interface passive, it means no igrp updates will be sent out on the ethernet interface. It doesn't stop the serial interface from advertising network 12.0.0.0 . Which explains why you can still ping to the ethernet interface. If for some reason you do not want network 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use distribute-list to filter out the route. Regards, cheekin - Original Message - From: To: Sent: Wednesday, January 02, 2002 15:03 Subject: Passive Interface Help [7:30648] > Happy New Year!! > > I need a little help on what a passive > interface is. From what I can gather, a passive > interface does not advertise its route to its > neighbor ? Now if that is the case, why can > I still ping an interface that is set to passive. > Please note: This is excluding directly connected > routes. > > For example, I set my Cisco 2509 ethernet interface > to passive. Why can I still ping the ethernet address > from my neighboring router Cisco 4000 ? I am > running IGRP. Why does the ethernet network show up in its routing table for > my Cisco 4000. From poking around with the passive interface command it > seems that I can not ping my ethernet address only if I set the Serial > interfaces to passive also. > This seems odd. I thought if I made an ethernet interface passive, I should > not be able to ping it from a neighboring router or any other router since > it is not being > advertised. > > Below is a sample of me being able to ping serial 1 off > my Cisco 2509 from my Cisco 4000. Serial 1 is "not" > directly connected. Serial 1 is being advertised. > > > > > Current configuration: > ! > version 12.0 > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname Cisco2509 > ! > enable password router > ! > ip subnet-zero > ipx routing 0010.7be8.22f4 > ! > ! > ! > ! > ! > interface Ethernet0 > ip address 12.11.12.1 255.255.255.240 > no ip directed-broadcast > delay 1000 > ! > interface Serial0 > ip address 172.16.18.1 255.255.255.240 > no ip directed-broadcast > no ip mroute-cache > ipx network 3 > no fair-queue > clockrate 100 > ! > interface Serial1 > ip address 172.17.18.2 255.255.255.240 > no ip directed-broadcast > clockrate 400 > ! > router igrp 1 > passive-interface Ethernet0 > passive-interface Serial0 > passive-interface Serial1 > offset-list 2 out 11000 Serial0 > network 12.0.0.0 > network 172.16.0.0 > network 172.17.0.0 > ! > ip classless > ! > access-list 2 deny 12.11.12.1 > ! > ! > ! > ! > ! > line con 0 > transport input none > line 1 8 > line aux 0 > line vty 0 4 > password cisco > login > ! > end > > Cisco2509# > > > > Cisco_4000>ping 172.17.18.1 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds: > ! > Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124 ms > Cisco_4000>ping 12.11.12.1 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds: > . > Success rate is 0 percent (0/5) > Cisco_4000> Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30653&t=30648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
