How to make an interface as like a passive interface in BGP?

Unanswered Question
May 18th, 2008
User Badges:

HI Friends,

Is there any command or any way to make an interface as like a passive interface in BGP, so that it will not send any routing update on that interface.

please help..



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Richard Burts Fri, 05/23/2008 - 13:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Shumon has given a nice quote and URL for the passive interface command which works on Interior Routing protocols like OSPF or EIGRP (or even RIP). But it does not work on BGP. Since you do not run BGP on an interface (like you do the Interior routing protocols) there is no ability to make an interface passive in BGP.

What are you trying to accomplish? If we knew what your real objective was we might be able to suggest some alternative that might get what you need.



Jacob Samuel Fri, 05/23/2008 - 21:51
User Badges:

Hi Rick,

Nice day, hope you r doing fine.

Yes thanks for the for the information.

My concern is -

we have a network with one main HQ and almost 70+ branches. All the main branches are connecting to the HQ and accessing the data from the Central Database.

Our network is running on 172.16.x.x series and we are running EIGRP as the routing protocol to communicate.

Now another company (can say a sister concern of our company) want to access this database server in our HQ Network. That is a very huge organization. They are also using 172.16.x.x network and BGP as the routing protocol.

The other company put one router 2811 at our rack and there is a DSL WAN link to their network.

What we did as of now is take on free ip from our network range and configured the ip on the LAN interface of their Router, and connected to our L3 in the LAN at HQ. I mean i extended my Lan to their Router also. And put a Route on the server to reach their network take the LAN interface ip of the 2811 Router as the gateway.

At the time they are able to see my server, my concern is, is there will be any problem in connecting this Router to the LAN, since they are also using 172.16.x.x at the WAN side, will it send any routing information to my network through the LAN interface of the Router.

Because when i connected the Router to my LAN switch all the Branches got disconnected, but later on we came to know that there was some mistake happened in configuring the IP address on the LAN interface of the 2811 Router.

Now i would like to put the link back on line i thought to verify this task.

Hope now it is more clear to all, your valuable information would be highly appreciated.



Haris P Fri, 05/23/2008 - 22:27
User Badges:
  • Bronze, 100 points or more

Dear Jacob ,

I think the only way will be by controlling an ACL to block the bgp updates thru the interface (179/tcp ) . Other way will be by securing your BGP with AS-path access-list , prefix-list , route-map etc

Richard Burts Sat, 05/24/2008 - 09:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


There is a problem with attempting to use an access list to control sending BGP updates. Assigning an access list outbound on an interface will filter packets being routed through the router but it will NOT filter packets generated by the router itself.

So if you were to put an access list inbound on an interface you would be able to filter receiving routing updates. But it is not possible to put an access list outbound on an interface and filter sending routing updates.



I'm not certain why this is necessary. BGP, unlike other IGRPs, doesn't form neighbor relationships with any peer unless the router is configured for the neighbor. No neighbor configured, no updates. If memory serves, anonymous BGP peering was removed from IOS several minor revs ago.

Richard Burts Sat, 05/24/2008 - 09:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


John makes a very good point here: BGP only forms neighbor relations with configured peers. And if there is no configured BGP peer inside your network then BGP will not attempt to send routing updates into your network. And from the description so far, I do not believe that your previous problem was based on BGP updates being sent anywhere that you do not want.

There are some aspects of your situation that I do not understand well. But clearly there is a problem when you are using 172.16.x.x and you attempt to connect to the sister company which is also using 172.16.x.x. I suspect that the reason that you lost connectivity to your branches is that when you put in a route to the sister company 172.16.x.x that it took precedence over the route to your own subnets. I believe that the solution will be for you to do some kind of address translation (perhaps translate so that in your network they appear to be using 172.17.x.x and when the traffic gets to the router at your edge it will translate 172.17.x.x into 172.16.x.x. similarly they may need to translate your addresses - perhaps they will see you as 172.18.x.x and when that traffic gets to their edge router it will translate it into your 172.16.x.x).



cisco24x7 Sat, 05/24/2008 - 10:31
User Badges:
  • Silver, 250 points or more

I am going to make the following assumption:

The sister company only need to access your company

database server. Your network is 172.16.x.x network

and the sister company also has 172.16.x.x network.

They will initiate connection to your company. You

do not need to initiate connection to them.

If that is the case, you do not need to run any BGP or IGP.

You just need to do the following:

1- NAT your database server to one of the IP addresses

on the ADSL WAN Link on the WAN router 2811,

2- Your internal network knows how to get to the WAN

link 2811 router via redistribution static,

3- Your sister company will know how to get to the WAN

link network via some kind of redistribution static,

This way, your sister company doesn't know anything

about your 172.16.x.x network. They just need to know

the NAT IP of the database server. NAT can be done on

the 2811 router. At the same time, you don't care about

their 172.16.x.x network. No routing protocols are


If bi-directional communication is needed, at that point

double-NAT on both sides will be needed. Again, no routing

protocols are needed.

Jacob Samuel Sat, 05/24/2008 - 13:39
User Badges:

awesome.... your assumption is.. dear cisco24X7. exactly the same senario, even you are right the other company will only access my db server, there will not be any connection initiated from our side. This is what we ware plannign to do.

I will extend the LAN to add the 2811 router also a part of my LAN network and will connect that to my switch on our LAN. And Will put an acl on the Vlan interface to permit the (LAN int ip of 2811) to access only the db server.No double NAT since i dont need any access frm my side to the other.

Sorry but i dont have access to the 2811 router, other wise i could have exactly verify that.. :), it should be the same :)

We will do the task and update alll

Thakns a lot for all your help .... :)



guruprasadr Sat, 05/24/2008 - 10:35
User Badges:
  • Gold, 750 points or more

HI Jacob, [Pls RATE all Informative POST]

Since your Company and the new Sister Company are using the same LAN Segment, it will be for sure to create the problem in the Network.

The reason why you LOST connectivity of all your own Branches are, since you have extended your LAN to connect the Sister company (Router) having the same LAN Segment: There could be more specific route available in the Global Routing Table (at other end) which caused injection of all your routes / traffic towards the more specific Match.

I go by Rick's comments, better recommendation are: connect your sister company via some TELCO, use the NAT concept to translate your private 172.16.x.x to some Public Segment (as assigned by TELCO) and the ViceVersa for the Sister Company also.

So, by this way - the Traffic will be translated to Private Segment when it enters the edge router and similarly the same will be translated to the new Public Segment when it exits the edge router.

Pls RATE all Informative POST

Best Regards,

Guru Prasad R

cisco24x7 Sat, 05/24/2008 - 19:23
User Badges:
  • Silver, 250 points or more

Look at the diagram and this is what you need

to implement.

host_x, when trying to access the DB server,

will be natted to The DB server IP

will be seen by sister company as

DB server will be seeing traffic coming from

Since you mentioned that you do not have

control of the 2811 router, it is recommended

that you place the 2811 outside of your

firewall so that you can implement security

policy to control access to the DB server.

The solution is much simpler than you think.

Good Luck!

CCIE Security



This Discussion