Step
Enter BGP view or
2.
BGP-VPN instance view.
Forbid session
3.
establishment with a peer or
peer group.
Configuring GTSM for BGP
If an attacker continuously sends forged BGP packets to a device, the device directly delivers these
packets to the CPU without checking their validity. As a result, the CPU utilization is very high. You
can configure the Generalized TTL Security Mechanism (GTSM) to avoid such CPU-utilization
based attacks.
The GTSM feature allows you to configure a hop-count value to get a valid TTL
range—255-hop-count+1 to 255. Upon receiving a packet from the specified peer, the device checks
whether the TTL in the IP header falls into the specified range. If yes, the packet is delivered to the
CPU; otherwise, the packet is discarded.
In addition, with GTSM configured, the device sends packets with TTL 255. Therefore, GTSM
provides the best protection for directly connected EBGP peers because the TTL of packets
exchanged between non-direct EBGP peers or IBGP peers can be modified by other devices.
IMPORTANT:
• The peer ttl-security hops command and the peer ebgp-max-hop command are mutually
exclusive.
• You must configure GTSM on both the local and peer devices, and you can specify different
hop-count values in a valid range for them.
To configure GTSM for BGP:
Step
Enter system view.
1.
Enter BGP view or
2.
BGP-VPN instance view.
Configure GTSM to check
3.
BGP packets from the
specified BGP peer or peer
group.
Command
•
Enter BGP view:
bgp as-number
•
Enter BGP-VPN instance
view:
a. bgp as-number
b. ipv4-family
vpn-instance
vpn-instance-name
peer { group-name | ip-address }
ignore
Command
system-view
•
Enter BGP view:
bgp as-number
•
Enter BGP-VPN instance view:
a. bgp as-number
b. ipv4-family vpn-instance
vpn-instance-name
peer { group-name | ip-address }
ttl-security hops hop-count
224
Remarks
Use either method.
Not forbidden by default.
Remarks
N/A
Use either method.
Not configured by default.