Note - Gaia does not have CLI commands for route filtering and redistribution. You must configure inbound routing policies and redistribution of routes through the Gaia Portal. You can configure route maps and route aggregation using CLI commands. Route map configuration done through the CLI takes precedence over route filtering and redistribution configured in the Gaia Portal. For example if OSPF uses route maps for inbound filtering, anything configured on the Gaia Portal page for inbound route filters for OSPF is ignored. You can still use the Gaia Portal to configure route redistribution into OSPF.

set router-id {default | <ip_address>}

Parameter

Description

default

Selects the highest interface address when OSPF is enabled.

<ip_address>

Specifies a specific IP address to assign as the router ID. Do not use 0.0.0.0 as the router ID address. Best Practice - Check Point recommends setting the router ID rather than relying on the default setting. Setting the router ID prevents the ID from changing if the default interface used for the router ID goes down.

The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1).

Note - In a cluster, you must select a router ID and make sure that it is the same on all cluster members.

• Range: Dotted-quad.([0-255].[0-255].[0-255].[0-255]). Do not use 0.0.0.0
• Default: The interface address of one of the local interfaces.

rfc1583‑compatibility {on | off}

Ensure backward compatibility. This option is on by default.

spf‑delay {default | <delay>}

Specify the <delay> value, in seconds, to wait before recalculating the OSPF routing table after a change in the topology. The default is 2 seconds.

spf-holdtime {default | <holdtime>}

Specify the minimal <holdtime>, in seconds, between recalculations of the OSPF routing table. The default is 5 seconds.

default-ase-cost <cost>

Specify the cost assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a cost already specified, that cost takes precedent. Valid cost values are between 1 and 6777215.

default-ase-type {1 | 2}

Specify the type assigned to routes from other protocols that are redistributed into OSPF as autonomous systems external. If the route has a type already specified, that type takes precedent. Valid type values are 1 or 2.

force-hellos

In addition to OSPF regular hello packets, OSPF sends out hello packets at specified intervals when it processes updates or synchronizes routes.

• Default: Off

force-hellos timer

The time in seconds between one forced hello message to the next.

• Value: 2-10
• Default: 5

graceful-restart-helper {on | off}

Specify whether the Check Point system should maintain the forwarding state advertised by peer routers, even when they restart, to minimize the negative effects caused by peer routers restarting.

graceful-restart {on | off | grace-period <seconds>}

Configure Graceful Restart - turn it on, turn it off, or set the grace period to a value between 1 and 1800 seconds. The default grace period is 120 seconds.

backbone <on | off>

Specifies whether to enable or disable the backbone area. By default, the backbone area is enabled. You can disable the backbone area if the system does not have interfaces on the backbone area.

<on | off>

Specifies the area ID for a new OSPF area.
Best Practice - Check Point recommends that you enter the area ID as a dotted quad, but you can use any integer as the area ID. The area ID 0.0.0.0 is reserved for the backbone.

stub <on | off>

Specifies the area ID for a stub area. Stub areas are areas that do not have AS external routes.

Note - The backbone area cannot be a stub area.

stub default‑cost <1‑677215>

Specifies a default route into the stub area with the specified cost.

stub summary <on | off>

Specifies the OSPF area as totally stubby, meaning that it does not have any AS external routes and its area border routers do not advertise summary routes.

nssa <on | off>

Specifies the area ID for an NSSA.

Note - The backbone area cannot be an NSSA area.

nssa default-cost <1-677215>

Specifies the cost associated with the default route to the NSSA.

nssa default-metric-type <1-2>

Specifies the type of metric. The default, type 1, is equivalent to the Default ASE Route Type on the OSPF Portal page. A type 1 route is internal and its metric can be used directly by OSPF for comparison. A type 2 route is external and its metric cannot be used for comparison directly.

nssa import-summary-routes <on | off>

Specifies if summary routes (summary link advertisements) are imported into the NSSA.

nssa translator-role <always | candidate>

Specifies whether this NSSA border router will unconditionally translate Type-7 LSAs into Type-5 LSAs. When role is Always, Type-7 LSAs are translated into Type-5 LSAs regardless of the translator state of other NSSA border routers. When role is Candidate, this router participates in the translator election to determine if it will perform the translations duties.

nssa translator-stability-interval <1-65535>

Specifies how long in seconds this elected Type-7 translator will continue to perform its translator duties once it has determined that its translator status has been assumed by another NSSA border router. Default: 40 seconds.

nssa redistribution <on |off>

Specifies if both Type-5 and Type-7 LSAs or only Type-7 LSAs will be originated by this NSSA border router.

nssa rangeip_addr[restrict] <on | off>

Specify the range of addresses to reduce the number of Type-5 LSAs for the NSSA border router. To prevent a specific prefix from being advertised, use the restrict argument.

area {backbone | <ospf_area>} range <ip_prefix> {on | off}

Select an area from the areas already configured.
Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.

area {backbone | <ospf_area>} range ip_prefix restrict {on | off}

Any area can be configured with any number of address ranges. These ranges are used to reduce the number of routing entries that a given area transmits to other areas. If a given prefix aggregates a number of more specific prefixes within an area, you can configure an address range that becomes the only prefix advertised to other areas. Be careful when configuring an address range that covers part of a prefix that is not contained within an area. An address range is defined by an IP prefix and a mask length. If you mark a range as restrict, it is not advertised to other areas.

stub‑network ip_prefix {on | off}

Specifies a stub network to which the specified interface range belongs. Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.

stub‑network ip_prefix stub‑network‑cost <1‑677722>

Configure a stub network to advertise reachability to prefixes that are not running OSPF. The advertised prefix appears as an OSPF internal route and is filtered at area borders with the OSPF area ranges. The prefix must be directly reachable on the router where the stub network is configured, that is, one of the router’s interface addresses must fall within the prefix range to be included in the router‑link‑state advertisement. Use a mask length of 32 to configure the stub host. The local address of a point‑to‑point interface can activate the advertised prefix and mask. To advertise reachability to such an address, enter an IP address for the prefix and a non‑zero cost for the prefix.

interface if_name area {backbone | <ospf area>} {on | off}

Specifies the OSPF area to which the specified interface belongs.

interface if_name hello‑interval <1‑65535>

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.

interface if_name hello‑interval default

Specifies the default value for the hello interval, which is 10 seconds.

interface if_name dead‑interval <1‑65535>

Specifies the number of seconds after which a router stops receiving hello packets that it declares the peer down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

interface if_name dead‑interval default

Specifies the default value for the dead interval, which is 40 seconds

interface if_name retransmit‑interval <1‑65535>

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.

interface if_name retransmit‑interval default

Specifies the default for the retransmit interval, which is 5 seconds.

interface if_name cost <1‑65535>

Specifies the weight of the given path in a route. The higher the cost, the less preferred the link. To use one interface over another for routing paths, assign one a higher cost.

interface if_name priority <0‑255>

Specifies the priority for becoming the designated router (DR) on the specified link. When two routers attached to a network attempt to become a designated router, the one with the highest priority wins. This option prevents the DR from changing too often. The DR option applies only to a share‑media interface, such as Ethernet or FDDI; a DR is not elected on a point‑to‑point type interface. A router with a priority of 0 is not eligible to become the DR.

interface if_name passive {on | off}

Enabling this option puts the specified interface into passive mode; that is, hello packets are not sent from the interface. Putting an interface into passive mode means that no adjacencies are formed on the link. This mode enables the network associated with the specified interface to be included in intra‑area route calculation rather than redistributing the network into OSPF and having it function as an autonomous system external.

• Default: off

interface if_name authtype none

Specifies not to use an authentication scheme for the specified interface.

interface if_name authtype simple <1-8 alphanumeric characters>

Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

interface if_name authtype md5 key <1-255> secret <1-16 alphanumeric characters>

Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form peer adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

transit‑area <ospf_area> <on | off>

Specifies the IP address of the remote endpoint of the virtual link and transit area, which is a specified ospf area you configure using the set ospf area command. Configure the ospf area you are using as the transit area before you configure the virtual link. The transit area is the area shared by the border router on which you configure the virtual link and the router with an interface in the backbone area. Traffic between the endpoints of the virtual link flow through this area. The virtual link IP address functions as the router ID of the remote endpoint of the virtual link.

transit‑area <ospf_area> hello‑interval <1‑65535>

Specifies the interval, in seconds, between hello packets that the router sends on the specified interface. For a given link, this value must be the same on all routers or adjacencies do not form.

transit‑area <ospf_area> hello‑interval default

Specifies an interval of 10 seconds.

transit‑area <ospf_area> dead‑interval <1‑4294967295>

Specifies the number of seconds after which a router stops receiving hello packets that it declares the neighbor down. Generally, you should set this value at 4 times the value of the hello interval. Do not set the value at 0. For a given link, this value must be the same on all routers or adjacencies do not form.

transit‑area <ospf_area> dead‑interval default

Specifies a value of 40 seconds.

transit‑area <ospf_area> retransmit‑interval <1‑4294967295>

Specifies the number of seconds between link state advertisement transmissions for adjacencies belonging to the specified interface. This value also applies to database description and link state request packets. Set this value conservatively, that is, at a significantly higher value than the expected round‑trip delay between any two routers on the attached network.

transit‑area <ospf_area> retransmit‑interval default

Specifies a value of 5 seconds.

transit‑area <ospf_area> authtype none

Specifies not to use an authentication scheme for the specified interface.

transit‑area <ospf_area> authtype simple <1-8 alphanumeric characters>

Specifies to use simple authentication for the specified interface. Enter an ASCII string that is 8 characters long. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

transit‑area <ospf_area> authtype md5 key <1-255> secret <1-16 alphanumeric characters>

Specifies to use MD5 authorization. Enter at least one key ID and its corresponding MD5 secret. If you configure multiple key IDs, the largest key ID is used for authenticating outgoing packets. All keys can be used to authenticate incoming packets. Generally, routers on a given link must agree on the authentication configuration to form neighbor adjacencies. Use an authentication scheme to guarantee that routing information is accepted only from trusted peers.

border-routers

Shows the state of each area border router:

• Router ID
• OSPF area
• Associated route cost

database

area {backbone | <area_id>}

areas [detailed]

checksum

database-summary

detailed

external-lsa [detailed]

inter-area-prefix-lsa [detailed]

inter-area-router-lsa [detailed]

intra-area-prefix-lsa [detailed]

link-lsa [detailed]

network-lsa [detailed]

router-lsa [detailed]

type {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9}

Show the OSPF database information:

• area {backbone | <area_id>} - Router-link state, network-link state, AS-border-router-link state, AS- external-link state, and summary-link state statistics for the specified OSPF area; for each interface in this OSPF area, shows the checksum, sequence number, and link count
• areas [detailed] - Router-link state, network-link state, AS-border-router-link state, AS- external-link state, and summary-link state statistics for each OSPF area; for each OSPF interface, shows the checksum, sequence number, and link count
• checksum - Checksum sum for each OSPF interface
• database-summary - Summary of all types of LSAs
• detailed - Detailed statistics on all types of LSAs
• external-lsa [detailed] - Type 5 (AS-external) LSA statistics for each OSPF area
• inter-area-prefix-lsa [detailed] - Type 3 (Summary) LSA statistics for each OSPF area (OSPFv3 only)
• inter-area-router-lsa [detailed] - Type 4 (ASBR) LSA statistics for each OSPF area (OSPFv3 only)
• intra-area-prefix-lsa [detailed] - Type 9 (Intra-Area Prefix) LSA statistics for each OSPF area (OSPFv3 only)
• link-lsa [detailed] - Type 8 (Link) LSA statistics for each OSPF area (OSPFv3 only)
• network-lsa [detailed] - Type 2 (Network) LSA statistics for each OSPF area
• router-lsa [detailed] - Type 1 (Router) LSA statistics for each OSPF area
• nssa-external-lsa [detailed] - Type 7 (NSSA) LSA statistics for each OSPF area (OSPFv2 only)
• opaque-lsa [detailed] - Opaque LSA statistics for each OSPF area (OSPFv2 only)
• summary-lsa [detailed] - Summary of all LSAs for each OSPF area (OSPFv2 only)

• type {1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9} - LSA statistics for each type of LSA:
  • 1 - Router LSA
  • 2 - Network LSA
  • 3 - Summary LSA in OSPFv2, Inter-Area Prefix LSA in OSPFv3
  • 4 - Summary ASBR LSA in OSPFv2, Inter-Area Router LSA in OSPFv3
  • 5 - External LSA in OSPFv2, AS-External LSA in OSPFv3
  • 7 - NSSA LSA in OSPFv2 only, not supported in OSPFv3
  • 8 - Link LSA in OSPFv3 only, not supported in OSPFv2
  • 9 - Intra-Area Prefix LSA in OSPFv3 only, not supported in OSPFv2

errors {dd | hello | ip | lsack | lsr | lsu | protocol}

Number of error messages sent, per type:

• dd - Database description error messages
• hello - Hello error messages
• ip - IP error messages
• lsack - Link-state acknowledgment error messages
• lsr - Link-state request error messages
• lsu - Link-state update error messages
• protocol - Protocol error messages

events

Number of these types of events:

• Interface down
• Interface up
• Virtual interface down
• Virtual interface up
• Designated Router (DR) elections
• Router ID (RID) changes
• Area border router (ABR) changes
• AS border router (ASBR) changes
• RFC1583 changes
• LSA self-advertisement messages

interface <interface_name> [detailed | stats]

Shows OSPF information for the specified interface:

• <interface_name> - interface name
  • IP address
  • Area ID
  • State
  • Number of logged errors (NC)
  • DR Interface IP address
  • BDR Interface IP address
• detailed
  • IP Address
  • Area
  • Router ID
  • Network type
  • Cost
  • Authentication type
  • Error count
  • Event count
  • Transmit delay
  • State
  • Priority
  • Designated Router (DR) ID and interface IP address
  • Backup Designated Router (BDR) ID and interface IP address
  • Hello, Dead, Wait, and Retransmit timers (in seconds)
  • Next Hello timer
  • Neighbor count
  • Count of lost 2-way connections with neighbors
• stats
  • Total Errors
  • Hello Interval Mismatch
  • External Option Error
  • Delayed Ack Count
  • Dead Interval Mismatch
  • Lost Neighbor Count
  • Authentication Errors
  • Duplicate Router ID
  • Neighbor Errors
  • Newer Self LSA Count
  • Neighbor Count

interfaces [detailed | stats]

Shows OSPF information for all interfaces:

• Without command options
  • IP address
  • Area ID
  • State
  • Number of logged errors (NC)
  • DR Interface IP address
  • BDR Interface IP address
• detailed -
  • IP Address
  • Area
  • Router ID
  • Network type
  • Cost
  • Authentication type
  • Error count
  • Event count
  • Transmit delay
  • State
  • Priority
  • Designated Router (DR) ID and interface IP address
  • Backup Designated Router (BDR) ID and interface IP address
  • Hello, Dead, Wait, and Retransmit timers (in seconds)
  • Next Hello timer
  • Neighbor count
  • Count of lost 2-way connections with neighbors
• stats -
  • Total Errors
  • Hello Interval Mismatch
  • External Option Error
  • Delayed Ack Count
  • Dead Interval Mismatch
  • Lost Neighbor Count
  • Authentication Errors
  • Duplicate Router ID
  • Neighbor Errors
  • Newer Self LSA Count
  • Neighbor Count

neighbor <neighbor_IP> [detailed]

Shows OSPF information for the specified OSPF neighbor:

• Priority
• State
• Number of logged errors

neighbors [detailed]

Shows OSPF information for each OSPF neighbor:

• IP address
• Priority
• State
• Number of logged errors

packets

Shows the number of received (Rx) and transmitted (Tx) OSPF packets:

• Hello Rx
• Hello Tx
• Link State Update Rx
• Link State Update Tx
• Link State Ack Rx
• Link State Ack Tx
• Link State Request Rx
• Link State Request Tx

routemap

Shows OSPF Import Policy and Export Policy.

summary

Shows detailed OSPF configuration.