Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
5
Replies

Catalyst 4500-X EIGRP Passive Interfaces

NicholasSansone8139
Level 1
Level 1

‎07-22-2019 01:19 PM

We have two Catalyst 4500-X L3 switches, one at our primary building and one at our secondary building. We have multiple VLANs setup for each department, servers, etc, with EIGRP routing the different subnets together.

When I run wireshark on any computer or server, I see lots of EIGRP Hello packets coming through, so I wanted to stop that from happening. My search led me to EIGRP passive interfaces.

Server > Port 1 > 4500-X, VLAN Y

Log into switch, Router EIGRP 1, passive-interface TenGigabitEthernet Z, now this should stop the Hello packets, but it doesn't. 

Every 5 seconds, Hello packets are still coming through. The only thing I can think of is that the packets are being generated at the VLAN level? The EIGRP packets are coming from the default gateway, which is the IP address assigned to that VLAN/Subnet. 


Can I set VLANs as passive interfaces? My assumption would be that as long as the two physical interfaces connected between the two 4500-X's aren't passive, that is all that should matter as far as exchanging EIGRP information. I don't want to break anything between our two core switch/routers. 

Thanks!

Labels:
0 Helpful
5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

‎07-22-2019 01:27 PM - edited ‎07-22-2019 01:28 PM

Try making the SVI for each vlan passive.  Make sure not to passive the interface between the 2 switches and the uplinks as you need those for your EIGRP peering.

HTH

0 Helpful

NicholasSansone8139
Level 1
Level 1
In response to Reza Sharifi

‎07-22-2019 02:12 PM

We have VLANs 300-350 for our network, and VLAN 100 for our network management. VLAN 100 exists between the link from Core A to Core B as well.

If I make all of the VLANs passive interfaces except for VLAN 100, EIGRP should function correctly, and this should prevent any rogue EIGRP routers from being connect, as long as they aren't somehow plugged into an interface that is on VLAN 100?

Thanks!

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to NicholasSansone8139

‎07-23-2019 12:03 AM

 

Correct in what you say. 

 

That is a common setup when running mutiple vlans between two L3 switches ie. use a vlan for peering, vlan 100 in your case, and then make the other passive. 

 

Jon

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to NicholasSansone8139

‎07-23-2019 08:48 AM

"If I make all of the VLANs passive interfaces except for VLAN 100, EIGRP should function correctly, and this should prevent any rogue EIGRP routers from being connect, as long as they aren't somehow plugged into an interface that is on VLAN 100?"

Yes, but if you further wish to protect VLAN 100 from rogues you might configure authentication between peers.
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-22-2019 02:14 PM

"The only thing I can think of is that the packets are being generated at the VLAN level?"

Actually, they should be generated for IP addressed interfaces (excluding those with passive) that have a corresponding network statement under the EIGRP config. This would be "routed interfaces" or SVIs. I.e. the VLAN level would be the SVI.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card