ospf ttl-security

Use ospf ttl-security to enable OSPF GTSM for an interface.

Use undo ospf ttl-security to disable OSPF GTSM for an interface.

Syntax

ospf ttl-security [ hops hop-count | disable ]

undo ospf ttl-security

Default

OSPF GTSM is disabled for an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

hops hop-count: Specifies the hop limit for checking OSPF packets, in the range of 1 to 254. The default hop limit is 1 for packets from common neighbors.

disable: Disables OSPF GTSM for the interface.

Usage guidelines

GTSM checks OSPF packets from common neighbors and virtual link neighbors.

GTSM protects the device by comparing the TTL value in the IP header of incoming OSPF packets against a valid TTL range. If the TTL value is within the valid TTL range, the packet is accepted. If not, the packet is discarded.

The valid TTL range is from 255 – the configured hop count + 1 to 255.

When GTSM is configured, the OSPF packets sent by the device have a TTL of 255. To use GTSM, you must configure GTSM on both the local and peer devices. You can specify different hop-count values for them.

The hops keyword configured in interface view takes precedence over the hops keyword configured in OSPF area view.

If the ttl-security command is not configured, the undo ospf ttl-security command disables GTSM for an interface.

If the ttl-security command is configured, the undo ospf ttl-security command removes the GTSM configuration for an interface. At the same time, the GTSM configuration for the area applies to the interface. The ospf ttl-security disable command disables GTSM for an interface.

If a virtual link exists in an area, you can enable GTSM for the interfaces on the virtual link. If you do not know the interfaces on the virtual link, enable GTSM in area view to prevent packet loss.

Examples

# Enable OSPF GTSM for VLAN-interface 10 and set the hop limit to 254.

<Sysname> system-view
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ospf ttl-security hops 254

# Enable GTSM in OSPF area view and disable OSPF GTSM for VLAN-interface 10.

<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] area 1
[Sysname-ospf-100-area-0.0.0.1] ttl-security
[Sysname-ospf-100-area-0.0.0.1] quit
[Sysname-ospf-100] quit
[Sysname] interface vlan-interface 10
[Sysname-Vlan-interface10] ospf ttl-security disable

Related commands

ttl-security (OSPF area view)