Table Of Contents
Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Finding Feature Information in This Module
Information About Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Transitioning Existing Networks to Use TTL Security Check
TTL Security Check for OSPF Virtual and Sham Links
Benefits of the OSPF Support for TTL Security Check
How to Configure OSPF TTL Security Check and OSPF Graceful Shutdown
Configuring TTL Security Check on All OSPF Interfaces
Configuring TTL Security Check on a Per-Interface Basis
Configuring OSPF Graceful Shutdown on a Per-Interface Basis
Configuration Examples for OSPF TTL Security Check and OSPF Graceful Shutdown
Transitioning an Existing Network to Use TTL Security Check: Example
Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
First Published: January 14, 2008Last Updated: October 2, 2009This module describes configuration tasks to configure various options involving Open Shortest Path First (OSPF). This module contains tasks that use commands to configure a lightweight security mechanism to protect OSPF sessions from CPU utilization-based attacks and configure a router to shut down a protocol temporarily without losing the protocol configuration.
Finding Feature Information in This Module
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Information About Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
•
•
•
Information About Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
To configure the OSPF features in this module, you should understand the following concepts:
TTL Security Check for OSPF
When the TTL Security Check feature is enabled, OSPF sends outgoing packets with an IP header Time to Live (TTL) value of 255 and discards incoming packets that have TTL values less than a configurable threshold. Since each router that forwards an IP packet decrements the TTL, packets received via a direct (one hop) connection will have a value of 255. Packets that cross two hops will have a value of 254, and so on. The receive threshold is configured in terms of the maximum number of hops a packet may have traveled. The value for this hop-count argument is a number from 1 to 254, with a default of 1.
The TTL Security Check feature may be configured under the OSPF router submode, in which case it applies to all the interfaces on which OSPF runs, or it may be configured on a per-interface basis.
Transitioning Existing Networks to Use TTL Security Check
If you currently have OSPF running in your network and want to implement TTL security on an interface-by-interface basis without any network interruptions, use the ip ospf ttl-security command and set the hop-count argument to 254. This setting causes outgoing packets to be sent with a TTL value of 255, but allows any value for input packets. Later, once the router at the other end of the link has had TTL security enabled, you can start enforcing the hop limit for incoming packets by using the same ip ospf ttl-security command with no hop count specified. This process ensures that OSPF packets will not be dropped because of a temporary mismatch in TTL security.
TTL Security Check for OSPF Virtual and Sham Links
In OSPF, all areas must be connected to a backbone area. If there is a break in backbone continuity, or the backbone is purposefully partitioned, you can establish a virtual link. The virtual link must be configured in both routers. The configuration information in each router consists of the other virtual endpoint (the other area border router [ABR]) and the nonbackbone area that the two routers have in common (called the transit area). Note that virtual links cannot be configured through stub areas. Sham links are similar to virtual links in many ways, but sham links are used in Layer 3 Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) networks to connect Provider Edge (PE) routers across the MPLS backbone.
To establish a virtual link or a sham link, use the area virtual-link or area sham-link cost commands, respectively, in router configuration mode. To configure the TTL Security Check feature on a virtual link or a sham link, configure the ttl-security keyword and the hop-count argument in either command. Note that the hop-count argument value is mandatory in this case.
Benefits of the OSPF Support for TTL Security Check
The OSPF Support for TTL Security Check feature provides an effective and easy-to-deploy solution to protect an OSPF neighbor sessions from CPU utilization-based attacks. When this feature is enabled, a host cannot attack an OSPF session if the host is not a member of the local or remote OSPF network or if the host is not directly connected to a network segment between the local and remote OSPF networks. This solution greatly reduces the effectiveness of Denial of Service (DoS) attacks against an OSPF autonomous system.
OSPF Graceful Shutdown
The OSPF Graceful Shutdown feature provides the ability to temporarily shut down the OSPF protocol in the least disruptive manner and notify its neighbors that is going away. All traffic that has another path through the network will be directed to that alternate path. A graceful shutdown of the OSPF protocol can be initiated using the shutdown command in router configuration mode.
This feature also provides the ability to shut down OSPF on a specific interface. In this case, OSPF will not advertise the interface or form adjacencies over it; however, all of the OSPF interface configuration will be retained. To initiate a graceful shutdown of an interface, use the ip ospf shutdown command in interface configuration mode.
How to Configure OSPF TTL Security Check and OSPF Graceful Shutdown
This section contains the following tasks:
•
•
•
Configuring TTL Security Check on All OSPF Interfaces
Perform this task to configure TTL security check on all OSPF interfaces.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring TTL Security Check on a Per-Interface Basis
Perform this task to configure TTL security check on an individual interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Configuring OSPF Graceful Shutdown on a Per-Interface Basis
Perform this task to configure a graceful shutdown on a specific OSPF interface.
When the ip ospf shutdown interface command is entered, the interface on which it is configured sends a link-state update advising its neighbors that is going down, which allows those neighbors to begin routing OSPF traffic around this router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Configuration Examples for OSPF TTL Security Check and OSPF Graceful Shutdown
This section provides the following configuration example:
•
Transitioning an Existing Network to Use TTL Security Check: Example
The following example shows how to enable TTL security in an existing OSPF network on a per-interface basis.
Configuring TTL security in an existing network is a three-step process:
1.
2.
3.
configure terminal
! Configure the following command on the sending side router.
interface ethernet 0/1
ip ospf ttl-security hops 254
! Configure the next command on the receiving side router.
interface ethernet 0/1
ip ospf ttl-security
! Reconfigure the sending side with no hop count.
ip ospf ttl-security
end
Additional References
The following sections provide references related to the OSPF TTL Security Check and OSPF Graceful Shutdown features.
Related Documents
IP routing commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Technical Assistance
Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(33)SRC, 12.2(33)SB, 15.0(1)M or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Configuring OSPF TTL Security Check and OSPF Graceful Shutdown
OSPF Graceful Shutdown
12.2(33)SRC
12.2(33)SB 15.0(1)MThis feature provides the ability to temporarily shut down a protocol in the least disruptive manner and notify its neighbors that is going away.
A graceful shutdown of a protocol can be initiated on all OSPF interfaces or on a specific interface.
The following sections provide information about this feature:
•
The following commands were introduced or modified: shutdown (router OSPF), ip ospf shutdown, show ip ospf interface, and show ip ospf.
In Cisco IOS Release 12.2(33)SB, support was added for the Cisco 10000 series routers.
OSPF TTL Security Check
12.2(33)SRC 15.0(1)M
This feature increases protection against OSPF denial of service attacks, enables checking of TTL values on OSPF packets from neighbors, and allows users to set TTL values sent to neighbors.
The following sections provide information about this feature:
•
•
The following commands were introduced or modified: ip ospf ttl-security, area virtual-link, area sham-link cost, ttl-security all-interfaces, show ip ospf interface, show ip ospf neighbor, show ip ospf traffic, and debug ip ospf adj.
This feature is not supported in Cisco IOS Release 12.2(33)SB.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
Guest
