CCIE Topic: 1.4d OSPF Operations

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone charles judd here and in this video i'm taking a look at ccie blueprint item 1.4d ospf operations i've looked at the general operation of ospf in previous videos for this section so here we're going to specifically look at a couple of sub-topics pointed out by the blueprint those being ospf graceful shutdown and gtsm the generic ttl security mechanism ospf graceful shutdown is a way we can improve network convergence in cases where we want to remove or shut down an ospf enabled router this is the least disruptive way to remove an ospf router from a network and that can be done globally on the ospf process or at an interface level the advantage here is that instead of waiting for our timers to expire so that the network can reconverge the graceful shutdown operation will go ahead and notify all of the ospf neighbors of what's happening so that they can direct network traffic over an alternate path giving us a faster convergence time by doing this if we need to completely shut down or completely remove a router we already have alternate paths in place and we minimally impact our network at a global level when we shut down an entire ospf process our router will send hello packets with blank entries for the dr and bdr and also an empty neighbor list remember we looked at these types of packets in wireshark in a previous video by doing this this is going to trigger the other routers to go back to the init state trying to re-establish bi-directional communication with neighbors also all of the lsas originating from this router will be flooded with the age set to 3 600 seconds or one hour this is a way to eventually flush all of those lsas out of the network this router will then stop sending and receiving ospf packets and obviously will then drop all ospf neighbor adjacencies if we perform the shutdown at an interface level we have the same hello packet situation where the hello packet is sent with blank entries for the dr and bdr and an empty neighbor list again triggering the init state on other ospf routers this time though with the lsas that are flooded we're specifically flooding lsas associated with this specific interface rather than all lsas from the router and of course we stop sending and receiving ospf packets and we drop all of those neighbor adjacencies as we just saw graceful shutdown is really easy to perform so let's take a look at this in our topology you can see that r1 has redundant links going out to r4 at 20.1.1.50 if we say show iprout we'll see that currently our preferred path is over r2 at 10.1.1.2 so let's go to r2 let's go under our ospf process router ospf1 and let's perform a graceful shutdown we can do that very simply with the command shutdown and by the way i've decreased my hello timer to one second and my hold timer to four seconds just to speed things up here in the lab so if i say shutdown and hit enter to shut down this entire process we see a message letting us know that our adjacency is down if we go back to r1 we're gonna see the same thing we see that our dead timer has expired and we've dropped a neighbor if we say show ipospf neighbor we're going to see that we now only have a neighborship with router 3 at 3.3.3.3 if we say show iprout we should see now that we have a route going out to the 20.1.1.0 network over router 3 at 10.1.1.6 if we go back to r2 and let's say show ipospf interface gig zero slash zero and you can see that even though we've shut down this ospf process we still see some information about ospf here we see area one we see our state is down we see our hello and dead timers that we've configured so shutting down this process doesn't remove our ospf configuration so that's a big advantage to using graceful shutdown rather than just removing the ospf process completely if we look at our running configuration let's say show run pipe to section router ospf we will of course see our ospf configuration still in place we see that here a very simple ospf configuration if we go back under our ospf process routerospf1 we can quickly bring that back up with a no shut command just as you would perform on a typical interface and you can see that our adjacency reforms without having to completely recreate our configuration if we go back to r1 we see that new neighbor listed here in our console if we again say show iprout we're going to see that we're back to using r2 as the next hop at 10.1.1.2 very simple we can of course do that under interface configuration mode as well so if we go to r2 and we go under interface gig 0 0 we can say ipospf shutdown to specifically do that for our interface rather than our entire ospf process so graceful shutdown is really simple you can do that globally or at an interface level with a very simple command now let's discuss the generic ttl security mechanism or gtsm this is outlined in rfc 5082 as a way to protect against remote attacks where spoofing may take place by default when ospf receives an lsa there is no checkmate against the ttl value and by default we know that ospf uses a ttl value of one so if we had a topology as we see here with a couple of ospf routers it's possible that an attacker could introduce a spoofed ospf packet to r2 with a ttl value of two it would have the spoofed source set to r2's ip address 172.16.10.2 and the destination set for r1 at 172.16.10.1 r2 would receive the packet it would decrement the ttl value to 1 and send the packet over to r1 even if r1 happens to reject the packet we still have traffic hitting the control plane on router 1 which can impact the performance if enough of those packets make it over to r1 and that's exactly the issue that gtsm was created to stop with gtsm we can enable a ttl security check globally for the entire ospf process or we can do that for a specific interface this forces ospf to only accept packets with a specific ttl value and by default that will be set to 255. the reason for this default value is that 255 is the highest possible ttl value the ttl value is an 8-bit field so we can't go higher than 255 and that means if we wanted to spoof ospf packets with this security mechanism in place we would need to create a spoofed ttl value of 256 in order to reach another ospf router which isn't possible with that 8-bit field let's take a look at this in action now we're using the same topology from before and this time we're using wireshark to see those packets more closely if we go to r2 let's first enable debugging let's say debug ip ospf adjacencies now let's go under router ospf 1 and let's enable this security mechanism for our entire ospf process we do that by saying ttl all hyphen interfaces and if we hit enter here immediately you're going to see a console message stating that we are dropping packets from r1 at 10.1.1.1 which have a ttl value of one if we jump over to our wireshark capture you can see several of our hello packets from the source of 10.1.1.2 which is r2 if we expand that information we can see our ttl value our time to live value see that listed here and that is set to 255. if we go to r1 and we enable that here as well this will bring our adjacency back up so let's do that but let's do that at an interface level instead of doing that globally so that we can look at that variation of the command let's go under interface gig zero zero which is connecting out to r2 and at the interface level the command is ipospf ttl hyphen security we want to see our adjacency reform so that happens that's good and if we look at our packet capture we can see now that we have a source of 10.1.1.2 still with a ttl value of 255 but now also the source from router 1 is additionally 255 and i am doing a packet capture on the gig zero zero interface here by the way now if we go back over to r1 and i say show ip ospf neighbor you're going to see that we still have two adjacencies we have an adjacency with r2 and r3 so we haven't affected our adjacency with r3 because we enabled this at the interface level now if i had enabled that globally we would of course have to do this on r3 as well we would have to enable that security mechanism on that router one additional thing you can do let's go back to r2 and i'm going to go ahead and turn off all of my debugging and if we go back under router ospf 1 i'm going to arrow up and again look at the command ttl all hyphen interfaces and let's look at contextual help one thing we see here is an optional keyword which is hops if we say hops and we look at contextual help again you'll see that we can configure this within the range of 1 to 254. now this might be a bit deceiving and is a little confusing this doesn't set the maximum ttl as you think it might this isn't the actual ttl field value but rather this is the number of allowed hops so this is essentially a threshold value and by default that's set to zero if we don't specify this optional parameter remember i didn't initially set this parameter whatever we configure here is going to be subtracted from 255 to give us the ttl value allowed from ospf packets so by default remember that's set to zero that gives us 255 minus zero meaning that only packets with a 255 ttl value would be allowed if we set that to say 100 then that's going to subtract 100 from 255 and that would leave 155 that means that any ospf packets within the range of 155 to 255 would be accepted so if you need to tweak that value for some reason maybe in the case of something like a discontiguous area from multiple sites that have merged that's how you can adjust that one last thing to note is that when we enable this for all interfaces this does not include virtual links or sham links used with mpls layer 3 vpns to enable that on a virtual link you would use the command area virtual hyphen link ttl security and for sham links we would do something similar that being area sham hyphen link ttl hyphen security so that's a look at some ospf operations that we had yet to cover under this blueprint item i hope you found this content useful i want to thank you sincerely for watching
Info
Channel: Charles Judd
Views: 951
Rating: undefined out of 5
Keywords: cisco, ccie, cisco enarsi, ccie enterprise infrastructure, cisco enarsi 300-410, cisco encor 350-401, ccie lab, my ccie journey, ccie training, ccie blueprint, section 1.4, 1.4 ospf, LSA, 1.4d ospf operations, ospf graceful shutdown, gtsm generic ttl security mechanism
Id: ilKPtXchxX4
Channel Id: undefined
Length: 12min 22sec (742 seconds)
Published: Fri Oct 23 2020
Related Videos
CCIE Topic: 1.4c OSPF Path Preference
Charles Judd
1.2K
CCIE Topic: 1.3f EIGRP Optimization, Convergence and Scalability
Charles Judd
942
CCIE Topic: 1.4e OSPF LSA Throttling, SPF Throttling, and Fast Hello
Charles Judd
1.1K
CCIE Topic: 1.2f Route Filtering
Charles Judd
1K
CCIE Topic: 1.4b OSPF Network and Area Types
Charles Judd
1.6K
CCIE Topic: 1.2b VRF-lite
Charles Judd
1.7K
CCIE Topic: 1.4e OSPF Loop-Free Alternate Fast Reroute (LFA FRR)
Charles Judd
2.5K
CCIE Topic: 1.2e VRF-aware Routing - MPLS Layer 3 VPN
Charles Judd
1.2K
CCIE Enterprise Infrastructure How to Prepare
Michael O'Brien's CCIE Journey
9.9K
CCIE Topic: 1.3e EIGRP Named Mode
Charles Judd
979
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.