Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring OSPF Database Protection

OSPF Database Protection Overview

OSPF database protection allows you to limit the number of link-state advertisements (LSAs) not generated by the local router in a given OSPF routing instance, helping to protect the link-state database from being flooded with excessive LSAs. This feature is particularly useful if VPN routing and forwarding is configured on your provider edge and customer edge routers using OSPF as the routing protocol. An overrun link-state database on the customer edge router can exhaust resources on the provider edge router and impact the rest of the service provider network.

When you enable OSPF database protection, the maximum number of LSAs you specify includes all LSAs whose advertising router ID is not equal to the local router ID (nonself-generated LSAs). These might include external LSAs as well as LSAs with any scope such as the link, area, and autonomous system (AS).

Once the specified maximum LSA count is exceeded, the database typically enters into the ignore state. In this state, all neighbors are brought down, and nonself-generated LSAs are destroyed. In addition, the database sends out hellos but ignores all received packets. As a result, the database does not form any full neighbors, and therefore does not learn about new LSAs. However, if you have configured the warning-only option, only a warning is issued and the database does not enter the ignore state but continues to operate as before.

You can also configure one or more of the following options:

  • A warning threshold for issuing a warning message before the LSA limit is reached.

  • An ignore state time during which the database must remain in the ignore state and after which normal operations can be resumed.

  • An ignore state count that limits the number of times the database can enter the ignore state, after which it must enter the isolate state. The isolate state is very similar to the ignore state, but has one important difference: once the database enters the isolate state, it must remain there until you issue a command to clear database protection before it can return to normal operations.

  • A reset time during which the database must stay out of the ignore or isolate state before it is returned to a normal operating state.

Configuring OSPF Database Protection

By configuring OSPF database protection, you can help prevent your OSPF link-state database from being overrun with excessive LSAs that are not generated by the local router. You specify the maximum number of LSAs whose advertising router ID is not the same as the local router ID in an OSPF instance. This feature is particularly useful if your provider edge and customer edge routers are configured with VPN routing and forwarding using OSPF.

OSPF database protection is supported on:

  • Logical systems

  • All routing instances supported by OSPFv2 and OSPFv3

  • OSPFv2 and OSPFv3 topologies

  • OSPFv3 realms

To configure OSPF database protection:

  1. Include the database-protection statement at one of the following hierarchy levels:
    • [edit protocols ospf | ospf3]

    • [edit logical-systems logical-system-name routing-instances routing-instance-name protocols (ospf |ospf3)]

    • [edit routing-instances routing-instance-name protocols (ospf |ospf3)]

    • [edit routing-instances routing-instance-name protocols ospf3 realm (ipv4-unicast | ipv4-multicast | ipv6-unicast | ipv6-multicast)]

  2. Include the maximum-lsa number statement.
    Note:

    The maximum-lsa statement is mandatory, and there is no default value for it. If you omit this statement, you cannot configure OSPF database protection.

  3. (Optional) Include the following statements:
    • ignore-count number—Specify the number of times the database can enter the ignore state before it goes into the isolate state.

    • ignore-time seconds—Specify the time limit the database must remain in the ignore state before it resumes regular operations.

    • reset-time seconds—Specify the time during which the database must operate without being in either the ignore or isolate state before it is reset to a normal operating state.

    • warning-threshold percent—Specify the percent of the maximum LSA number that must be exceeded before a warning message is issued.

  4. (Optional) Include the warning-only statement to prevent the database from entering the ignore state or isolate state when the maximum LSA count is exceeded.
    Note:

    If you include the warning-only statement, values for the other optional statements at the same hierarchy level are not used when the maximum LSA number is exceeded.

  5. Verify your configuration by checking the database protection fields in the output of the show ospf overview command.