- Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
- Enabling OSPFv2 on an Interface Basis
- OSPF Enhanced Traffic Statistics for OSPFv2 and OSPFv3
- OSPF SNMP ifIndex Value for Interface ID in Data Fields
- OSPF Mechanism to Exclude Connected IP Prefixes from LSA Advertisements
- OSPFv2 Local RIB
- IPv6 Routing: OSPFv3
- TTL Security Support for OSPFv3 on IPv6
- Finding Feature Information
- Information About OSPF TTL Security Check and OSPF Graceful Shutdown
- How to Configure OSPF TTL Security Check and OSPF Graceful Shutdown
- Configuration Examples for OSPF TTL Security Check and OSPF Graceful Shutdown
- Additional References
- Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
This module describes configuration tasks to configure various options involving Open Shortest Path First (OSPF). This module contains tasks that use commands to configure a lightweight security mechanism to protect OSPF sessions from CPU-utilization-based attacks and to configure a router to shut down a protocol temporarily without losing the protocol configuration.
- Finding Feature Information
- Information About OSPF TTL Security Check and OSPF Graceful Shutdown
- How to Configure OSPF TTL Security Check and OSPF Graceful Shutdown
- Configuration Examples for OSPF TTL Security Check and OSPF Graceful Shutdown
- Additional References
- Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About OSPF TTL Security Check and OSPF Graceful Shutdown
- TTL Security Check for OSPF
- Transitioning Existing Networks to Use TTL Security Check
- TTL Security Check for OSPF Virtual and Sham Links
- Benefits of the OSPF Support for TTL Security Check
- OSPF Graceful Shutdown
TTL Security Check for OSPF
When the TTL Security Check feature is enabled, OSPF sends outgoing packets with an IP header Time to Live (TTL) value of 255 and discards incoming packets that have TTL values less than a configurable threshold. Since each device that forwards an IP packet decrements the TTL, packets received via a direct (one-hop) connection will have a value of 255. Packets that cross two hops will have a value of 254, and so on. The receive threshold is configured in terms of the maximum number of hops that a packet may have traveled. The value for this hop-count argument is a number from 1 to 254, with a default of 1.
The TTL Security Check feature may be configured under the OSPF router submode, in which case it applies to all the interfaces on which OSPF runs, or it may be configured on a per-interface basis.
Transitioning Existing Networks to Use TTL Security Check
If you currently have OSPF running in your network and want to implement TTL security on an interface-by-interface basis without any network interruptions, use the ip ospf ttl-security command and set the hop-count argument to 254. This setting causes outgoing packets to be sent with a TTL value of 255, but allows any value for input packets. Later, once the device at the other end of the link has had TTL security enabled you can start enforcing the hop limit for the incoming packets by using the same ip ospf ttl-security command with no hop count specified. This process ensures that OSPF packets will not be dropped because of a temporary mismatch in TTL security.
TTL Security Check for OSPF Virtual and Sham Links
In OSPF, all areas must be connected to a backbone area. If there is a break in backbone continuity, or the backbone is purposefully partitioned, you can establish a virtual link. The virtual link must be configured in both devices. The configuration information in each device consists of the other virtual endpoint (the other area border router [ABR]) and the nonbackbone area that the two devices have in common (called the transit area.) Note that virtual links cannot be configured through stub areas. Sham links are similar to virtual links in many ways, but sham links are used in Layer 3 Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) networks to connect Provider Edge (PE) routers across the MPLS backbone.
To establish a virtual link or a sham link, use the area virtual-link or area sham-link cost commands, respectively, in router configuration mode. To configure the TTL Security Check feature on a virtual link or a sham link, configure the ttl-security keyword and the hop-count argument in either command. Note that the hop-count argument value is mandatory in this case.
Benefits of the OSPF Support for TTL Security Check
The OSPF Support for TTL Security Check feature provides an effective and easy-to-deploy solution to protect OSPF neighbor sessions from CPU utilization-based attacks. When this feature is enabled, a host cannot attack an OSPF session if the host is not a member of the local or remote OSPF network, or if the host is not directly connected to a network segment between the local and remote OSPF networks. This solution greatly reduces the effectiveness of Denial of Service (DoS) attacks against an OSPF autonomous system.
OSPF Graceful Shutdown
The OSPF Graceful Shutdown feature provides the ability to temporarily shut down the OSPF protocol in the least disruptive manner and notify its neighbors that it is going away. All traffic that has another path through the network will be directed to that alternate path. A graceful shutdown of the OSPF protocol can be initiated using the shutdown command in router configuration mode.
This feature also provides the ability to shut down OSPF on a specific interface. In this case, OSPF will not advertise the interface or form adjacencies over it; however, all of the OSPF interface configuration will be retained. To initiate a graceful shutdown of an interface, use the ip ospf shutdown command in interface configuration mode.
How to Configure OSPF TTL Security Check and OSPF Graceful Shutdown
- Configuring TTL Security Check on All OSPF Interfaces
- Configuring TTL Security Check on a Per-Interface Basis
- Configuring OSPF Graceful Shutdown on a Per-Interface Basis
Configuring TTL Security Check on All OSPF Interfaces
DETAILED STEPS
Configuring TTL Security Check on a Per-Interface Basis
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# interface GigabitEthernet 0/0/0 |
Configures an interface type and enters interface configuration mode. |
|
Example: Router(config-if)# ip ospf ttl-security |
Configures TTL security check feature on a specific interface.
|
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
|
Example: Router# show ip ospf interface gigabitethernet 0/0/0 |
(Optional) Displays OSPF-related interface information. |
|
Example: Router# show ip ospf neighbor 10.199.199.137 |
(Optional) Displays OSPF neighbor information on a per-interface basis.
|
|
Example: Router# show ip ospf traffic |
(Optional) Displays OSPF traffic statistics.
|
|
Example: Router# debug ip ospf adj |
(Optional) Initiates debugging of OSPF adjacency events.
|
Configuring OSPF Graceful Shutdown on a Per-Interface Basis
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# interface GigabitEthernet 0/1/0 |
Configures an interface type and number and enters interface configuration mode. |
|
Example: Router(config-if)# ip ospf shutdown |
Initiates an OSPF protocol graceful shutdown at the interface level.
|
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
|
Example: Router# show ip ospf interface GigabitEthernet 0/1/0 |
(Optional) Displays OSPF-related interface information. |
|
Example: Router# show ip ospf |
(Optional) Displays general information about OSPF routing processes. |
Configuration Examples for OSPF TTL Security Check and OSPF Graceful Shutdown
Example: Transitioning an Existing Network to Use TTL Security Check
The following example shows how to enable TTL security in an existing OSPF network on a per-interface basis.
Configuring TTL security in an existing network is a three-step process:
- Configure TTL security with a hop count of 254 on the OSPF interface on the sending side device.
- Configure TTL security with no hop count on the OSPF interface on the receiving side device.
- Reconfigure the sending side OSPF interface with no hop count.
configure terminal ! Configure the following command on the sending side router. interface gigabitethernet 0/1/0 ip ospf ttl-security hops 254 ! Configure the next command on the receiving side router. interface gigabitethernet 0/1/0 ip ospf ttl-security ! Reconfigure the sending side with no hop count. ip ospf ttl-security end
Additional References
The following sections provide references related to the OSPF TTL Security Check and OSPF Graceful Shutdown features.
Related Documents
Related Topic |
Document Title |
---|---|
Configuring OSPF |
"Configuring OSPF" |
OSPF commands |
Cisco IOS IP Routing: OSPF Command Reference |
Cisco IOS master command list, all releases |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported and support for existing standards has not been modified. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported and support for existing MIBs has not been modified. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
No new or modified RFCs are supported and support for existing RFCs has not been modified. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown |
Feature Name |
Releases |
Feature Information |
---|---|---|
OSPF Graceful Shutdown |
Cisco IOS XE Release 2.1 Cisco IOS XE Release 3.3SG Cisco IOS Release 15.1(1)SG |
This feature provides the ability to temporarily shut down a protocol in the least disruptive manner and to notify its neighbors that it is going away. A graceful shutdown of a protocol can be initiated on all OSPF interfaces or on a specific interface. The following commands were introduced or modified: |
OSPF TTL Security Check |
Cisco IOS XE Release 2.1 Cisco IOS XE Release 3.3SG Cisco IOS Release 15.1(1)SG |
This feature increases protection against OSPF denial of service attacks, enables checking of TTL values on OSPF packets from neighbors, and allows users to set TTL values sent to neighbors. The following commands were introduced or modified: |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.