Configuring Bgp Gtsm - Huawei Quidway NetEngine80E Configuration Manual

HUAWEI NetEngine80E/40E Router
Configuration Guide - IP Routing

8.23.4 Configuring BGP GTSM

The Generalized TTL Security Mechanism (GTSM) function protects devices by checking
whether the TTL value in the IP header is within a pre-defined range.
Procedure
l
l
Issue 02 (2014-09-30)
Adjust GTSM.
Perform the following steps on two devices that establish a BGP peer relationship:
1. Run:
system-view
The system view is displayed.
2. Run:
bgp { as-number-plain | as-number-dot }
The BGP view is displayed.
3. Run:
peer { group-name | ipv4-address } valid-ttl-hops [ hops ]
BGP GTSM is configured.
The valid TTL range of a checked packet is [255 - hops + 1, 255]. For example, the
hops value is 1 for an EBGP direct route. This means that the valid TTL of the EBGP
direct routes is 255. By default, the hops value is 255. This means that the valid TTL
range is [ 1, 255 ].
NOTE
l The configuration in the BGP view is also valid for the VPNv4 extension of MP-BGP. This
is because they use the same TCP connection.
l GSTM is exclusive with EBGP-MAX-HOP; therefore, you can enable only one of them
on the same peer or the peer group.
An interface board of a BGP device enabled with GTSM checks the TTL values in all
received BGP packets. In actual networking, packets with the TTL values out of a
specified range are either allowed to pass or discarded by GTSM. When the default
action of GTSM is drop, an appropriate TTL value range needs to be set based on the
network topology. Packets with the TTL values out of the range will be discarded.
This prevents bogus BGP packets from consuming CPU resources.
Set the GTSM default action.
Perform the following steps on a GTSM-enabled router:
1. Run:
system-view
The system view is displayed.
2. Run:
gtsm default-action { drop | pass }
The default action to be taken on the packets that do not match a GTSM policy is
Drop.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 BGP Configuration
867