When you use the network command in OSPF, two things will happen:
- All interfaces that have a network that falls within the range of the network command will be advertised in OSPF.
- OSPF hello packets are sent on these interfaces.
Sometimes it’s undesirable to send OSPF hello packets on certain interfaces. Take a look at the image below:

R1 and R2 are configured for OSPF. R1 is connected to network 192.168.10 /24 which has some computers connected to a switch. R1 wants to advertise this network to R2.
Once we use the network command to advertise 192.168.10.0 /24 in OSPF, R1 will also send OSPF hello packets towards the switch. This is a bad idea, first of all because there are no routers on this network but it’s also a security risk. If someone on the computer starts an application that replies with OSPF hello packets then R1 will try to become neighbors. An attacker could advertise fake routes using this technique.
To prevent this from happening, we can use the passive-interface command. This command tells OSPF not to send hello packets on certain interfaces. Let’s see how it works…
Configuration
Here’s the OSPF configuration of R1 and R2:
R1(config)#router ospf 1
R1(config-router)#network 192.168.12.0 0.0.0.255 area 0
R1(config-router)#network 192.168.10.0 0.0.0.255 area 0
R2(config)#router ospf 1
R2(config-router)#network 192.168.12.0 0.0.0.255 area 0
With the above configuration, R2 will learn network 192.168.10.0 /24:
R2#show ip route ospf
O 192.168.10.0/24 [110/20] via 192.168.12.1, 00:03:21, FastEthernet0/0
This is great but a side-effect of this configuration is that R1 will send hello packets on its FastEthernet 0/1 interface. We can see this with a debug:
R1#debug ip ospf hello
OSPF hello events debugging is on
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/1 from 192.168.10.254
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1
Above you can see that hello packets are sent in both directions.

Let’s fix this. We will configure OSPF to stop the hello packets towards the switch:
R1(config)#router ospf 1
R1(config-router)#passive-interface FastEthernet 0/1
You only have to use the passive-interface command under the OSPF process. You can verify our work with the following command:
R1#show ip protocols
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.12.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
192.168.10.0 0.0.0.255 area 0
192.168.12.0 0.0.0.255 area 0
Reference bandwidth unit is 100 mbps
Passive Interface(s):
FastEthernet0/1
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)
Show ip protocols will tell us which interfaces are configured as passive interface(s). If you left the debug enabled you will see that the hello packets are blocked:
R1#
OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet0/0 from 192.168.12.1
That’s looking good, they are only sent towards R2 now.

- Configurations
- R1
- R2
Want to take a look for yourself? Here you will find the final configuration of each device.
If you have many interfaces then it might be annoying to configure each of them as a passive interface. For example let’s imagine that R1 is used as a router on a stick for VLANs that are configured on the switch. It will have many sub-interfaces, on each of those it will send OSPF hello packets:

We could use the passive-interface command for each of these sub-interfaces but there’s a better solution for this:
R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface FastEthernet 0/0
The configuration above will make all interfaces passive and you have to tell the router which interfaces should send OSPF hello packets. This is easier and it will prevent OSPF from sending hello packets when someone creates a new sub-interface and forgets to make it passive.
- Configurations
- R1
- R2
Unit 1: Introduction to OSPF
- Introduction to OSPF
- Basic OSPF Configuration
- OSPF Multi Area Configuration
- OSPF Reference Bandwidth
- OSPF Plain Text Authentication
- OSPF MD5 Authentication
- OSPF SHA-HMAC Authentication
- OSPF TTL Security Check
- OSPF Default Route
Unit 2: OSPF Neighbor Adjacency
- OSPF LSA Types
- OSPF LSAs and LSDB Flooding
- OSPF Hello and Dead Interval
- OSPF Router ID
- OSPF Packets and Neighbor Discovery
- OSPF DR/BDR Election
- OSPF Passive Interface
- Troubleshooting OSPF Neighbor Adjacency
Unit 3: OSPF Network Types
- OSPF Non-Broadcast Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF Point-to-Multipoint Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Next Hop with Network Types
Unit 4: OSPF Stub Areas
- Introduction to OSPF Stub Areas
- How to configure OSPF Stub Area
- How to configure OSPF Totally Stub
- How to configure OSPF NSSA (Not So Stubby) Area
- How to configure OSPF Totally NSSA (Not So Stubby) Area
- OSPF NSSA P-bit explained
Unit 5: Advanced OSPF Topics
- OSPF Summarization
- OSPF Distribute-List Filtering
- OSPF LSA Type 3 Filtering
- OSPF LSA Type 5 Filtering
- OSPF Virtual Link
- OSPF Virtual Link Authentication
- OSPF Path Selection Explained
- How to read the OSPF Database
- OSPFv3 for IPv4
- Troubleshooting OSPF Route Advertisement
- OSPF SPF Scheduling and Throttling
- OSPF LSA Throttling
- OSPF Incremental SPF
- OSPF Prefix Suppression
- OSPF Stub Router
- OSPF Graceful Shutdown
- OSPF Graceful Restart
- OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR)
- OSPF Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)