< Home

Configuring BGP GTSM

Context

To protect a device against the attacks of forged BGP packets, you can configure GTSM to check whether the TTL value in the IP packet header is within the specified range. GTSM allows or discards packets with TTL values outside of the specified range according to networking requirements. When the default action to be taken on packets is set to drop in GTSM, set a proper TTL range according to the network topology. Then packets with TTL values outside of the specified range are discarded. This prevents attackers from sending forged BGP packets to consume CPU resources.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bgp { as-number-plain | as-number-dot }

    The BGP view is displayed.

    The configurations of GTSM and peer ebgp-max-hop affect the TTL values of BGP packets, which may cause a conflict between TTL values. Therefore, you can configure only either of the two functions for a peer or peer group.

  3. Run peer { group-name | ipv4-address | ipv6-address } valid-ttl-hops [ hops ]

    BGP GTSM is configured.

    By default, GTSM is not configured on any BGP peer or peer group.

  4. (Optional) Run the gtsm default-action { drop | pass } command in the system view:

    The default action to be taken on the packets that do not match a GTSM policy is set.

    By default, the action to be taken on the packets that do not match the GTSM policy is pass.

  5. (Optional) Run the gtsm log drop-packet all command in the system view:

    The log function is enabled on boards.

    The log records information regarding GTSM packet drops, which helps locate faults.

Parent Topic: Configuring BGP Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >