Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A router interface that stops sending routing protocol updates while still advertising its subnet—used to limit OSPF/EIGRP adjacencies and exposure.
Passive Interface Definition: A router interface that stops sending routing protocol updates while still advertising its subnet—used to limit OSPF/EIGRP adjacencies and exposure.
A passive interface is a router interface configured to stop sending routing protocol updates (and forming neighbor adjacencies) out of that interface, while the network connected to it is still advertised into the routing protocol. It is a common control in protocols like OSPF, EIGRP, and RIP to limit where routing information is exchanged.
When an interface is marked passive (for example with the passive-interface command in Cisco IOS), the router suppresses outgoing hello and update packets on it. In OSPF and EIGRP this prevents the formation of neighbor relationships on that link, so no adjacency is established; in RIP it stops broadcasting periodic updates. The connected subnet remains reachable and is still announced to legitimate neighbors elsewhere, but the passive interface itself becomes silent with respect to the routing protocol. Administrators often use passive-interface default and then selectively re-enable specific interfaces.
Passive interfaces matter for security because exposing routing protocol traffic on interfaces facing end users, servers, or untrusted segments is a risk: an attacker on such a segment could capture topology details or inject forged routing updates to redirect or blackhole traffic. Making user-facing interfaces passive reduces this attack surface and also cuts needless protocol overhead. It complements, but does not replace, routing protocol authentication.
For example, a network engineer running OSPF on a distribution router sets passive-interface default, then issues no passive-interface for only the uplinks toward other routers. The interfaces connected to user VLANs no longer send OSPF hellos, so no attacker plugged into a user port can establish an OSPF adjacency or inject malicious routes, yet those user subnets are still advertised to the rest of the network.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →