Example for Configuring BGP GTSM
Networking Requirements
As shown in Figure 1, SwitchA belongs to AS 10, and SwitchB, SwitchC, and SwitchD belong to AS 20. BGP runs on the network. To protect a device against the attacks of forged BGP packets, you can configure GTSM to check whether the TTL value in the IP packet header is within the specified range.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure OSPF on SwitchB, SwitchC, and SwitchD to implement interworking in AS 20.
- Set up an EBGP connection between SwitchA and SwitchB, and set up IBGP connections between SwitchB, SwitchC, and SwitchD through loopback interfaces.
- Configure GTSM on SwitchA, SwitchB, SwitchC, and SwitchD so that it can protect SwitchB against CPU-utilization attacks.
Procedure
- Configure the VLAN to which each interface belongs.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are similar to the configuration of SwitchA.
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [SwitchA-GigabitEthernet0/0/1] quit
- Assign an IP address to each interface.
# Configure SwitchB. The configurations of SwitchA, SwitchC, and SwitchD are similar to the configuration of SwitchB.
[SwitchB] interface vlanif 10 [SwitchB-Vlanif10] ip address 10.1.1.2 24 [SwitchB-Vlanif10] quit [SwitchB] interface vlanif 20 [SwitchB-Vlanif20] ip address 10.2.1.2 24 [SwitchB-Vlanif20] quit [SwitchB] interface loopback 0 [SwitchB-LoopBack0] ip address 172.16.2.9 32 [SwitchB-LoopBack0] quit
- Configure OSPF.
# Configure SwitchB. The configurations of SwitchC and SwitchD are similar to the configuration of SwitchB.
[SwitchB] ospf [SwitchB-ospf-1] area 0.0.0.0 [SwitchB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] network 172.16.2.9 0.0.0.0 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] quit
- Configure an IBGP connection.
# Configure SwitchB.
[SwitchB] bgp 20 [SwitchB-bgp] router-id 172.16.2.9 [SwitchB-bgp] peer 172.16.3.9 as-number 20 [SwitchB-bgp] peer 172.16.3.9 connect-interface LoopBack0 [SwitchB-bgp] peer 172.16.3.9 next-hop-local [SwitchB-bgp] peer 172.16.4.9 as-number 20 [SwitchB-bgp] peer 172.16.4.9 connect-interface LoopBack0 [SwitchB-bgp] peer 172.16.4.9 next-hop-local
# Configure SwitchC.
[SwitchC] bgp 20 [SwitchC-bgp] router-id 172.16.3.9 [SwitchC-bgp] peer 172.16.2.9 as-number 20 [SwitchC-bgp] peer 172.16.2.9 connect-interface LoopBack0 [SwitchC-bgp] peer 172.16.4.9 as-number 20 [SwitchC-bgp] peer 172.16.4.9 connect-interface LoopBack0
# Configure SwitchD.
[SwitchD] bgp 20 [SwitchD-bgp] router-id 172.16.4.9 [SwitchD-bgp] peer 172.16.2.9 as-number 20 [SwitchD-bgp] peer 172.16.2.9 connect-interface LoopBack0 [SwitchD-bgp] peer 172.16.3.9 as-number 20 [SwitchD-bgp] peer 172.16.3.9 connect-interface LoopBack0
- Configure an EBGP connection.
# Configure SwitchA.
[SwitchA] bgp 10 [SwitchA-bgp] router-id 172.16.1.9 [SwitchA-bgp] peer 10.1.1.2 as-number 20
# Configure SwitchB.
[SwitchB-bgp] peer 10.1.1.1 as-number 10 [SwitchB-bgp] quit
# Display the connection status of the BGP peers.
[SwitchB] display bgp peer BGP local router ID : 172.16.2.9 Local AS number : 20 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 172.16.3.9 4 20 8 7 0 00:05:06 Established 0 172.16.4.9 4 20 8 10 0 00:05:33 Established 0 10.1.1.1 4 10 7 7 0 00:04:09 Established 0You can view that SwitchB has set up BGP connections with other routers.
- Configure GTSM on SwitchA and SwitchB. SwitchA and SwitchB are directly connected, so the range of the TTL value between the two switches is [255, 255]. The value of valid-ttl-hops is 1.
# Configure GTSM on SwitchA.
[SwitchA-bgp] peer 10.1.1.2 valid-ttl-hops 1# Configure GTSM of the EBGP connection on SwitchB.
[SwitchB-bgp] peer 10.1.1.1 valid-ttl-hops 1# Check the GTSM configuration.
[SwitchB] display bgp peer 10.1.1.1 verbose BGP Peer is 10.1.1.1, remote AS 10 Type: EBGP link BGP version 4, Remote router ID 172.16.1.9 Update-group ID : 0 BGP current state: Established, Up for 00h49m35s BGP current event: RecvKeepalive BGP last state: OpenConfirm BGP Peer Up count: 1 Received total routes: 0 Received active routes total: 0 Received mac routes: 0 Advertised total routes: 0 Port: Local - 179 Remote - 52876 Configured: Connect-retry Time: 32 sec Configured: Min Hold Time: 0 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total 59 messages Update messages 0 Open messages 2 KeepAlive messages 57 Notification messages 0 Refresh messages 0 Sent: Total 79 messages Update messages 5 Open messages 2 KeepAlive messages 71 Notification messages 1 Refresh messages 0 Authentication type configured: None Last keepalive received: 2012/03/06 19:17:37 Last keepalive sent : 2012/03/06 19:17:37 Last update received: 2012/03/06 19:17:43 Last update sent : 2012/03/06 19:17:37 Minimum route advertisement interval is 30 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled GTSM has been enabled, valid-ttl-hops: 1 Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.
- Configure GTSM on SwitchB and SwitchC. SwitchB and SwitchC are directly connected, so the range of the TTL value between the two switches is [255, 255]. The value of valid-ttl-hops is 1.
# Configure GTSM on SwitchB.
[SwitchB-bgp] peer 172.16.3.9 valid-ttl-hops 1# Configure GTSM of the IBGP connection on SwitchC.
[SwitchC-bgp] peer 172.16.2.9 valid-ttl-hops 1# View the GTSM configuration.
[SwitchB] display bgp peer 172.16.3.9 verbose BGP Peer is 172.16.3.9, remote AS 20 Type: IBGP link BGP version 4, Remote router ID 172.16.3.9 Update-group ID : 1 BGP current state: Established, Up for 00h54m36s BGP current event: KATimerExpired BGP last state: OpenConfirm BGP Peer Up count: 2 Received total routes: 0 Received active routes total: 0 Received mac routes: 0 Advertised total routes: 0 Port: Local - 54998 Remote - 179 Configured: Connect-retry Time: 32 sec Configured: Min Hold Time: 0 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total 63 messages Update messages 0 Open messages 1 KeepAlive messages 62 Notification messages 0 Refresh messages 0 Sent: Total 69 messages Update messages 10 Open messages 1 KeepAlive messages 58 Notification messages 0 Refresh messages 0 Authentication type configured: None Last keepalive received: 2012/03/06 19:18:37 Last keepalive sent : 2012/03/06 19:18:37 Last update received: 2012/03/06 19:18:43 Last update sent : 2012/03/06 19:18:37 Minimum route advertisement interval is 15 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled Nexthop self has been configured Connect-interface has been configured GTSM has been enabled, valid-ttl-hops: 1 Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.
- Configure GTSM on SwitchC and SwitchD. SwitchC and SwitchD are directly connected, so the range of the TTL value between the two switches is [255, 255]. The value of valid-ttl-hops is 1.
# Configure GTSM of the IBGP connection on SwitchC.
[SwitchC-bgp] peer 172.16.4.9 valid-ttl-hops 1# Configure GTSM of the IBGP connection on SwitchD.
[SwitchD-bgp] peer 172.16.3.9 valid-ttl-hops 1# Check the GTSM configuration.
[SwitchC] display bgp peer 172.16.4.9 verbose BGP Peer is 172.16.4.9, remote AS 20 Type: IBGP link BGP version 4, Remote router ID 172.16.4.9 Update-group ID : 1 BGP current state: Established, Up for 00h56m06s BGP current event: KATimerExpired BGP last state: OpenConfirm BGP Peer Up count: 2 Received total routes: 0 Received active routes total: 0 Received mac routes: 0 Advertised total routes: 0 Port: Local - 179 Remote - 53758 Configured: Connect-retry Time: 32 sec Configured: Min Hold Time: 0 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total 63 messages Update messages 0 Open messages 1 KeepAlive messages 62 Notification messages 0 Refresh messages 0 Sent: Total 63 messages Update messages 0 Open messages 2 KeepAlive messages 61 Notification messages 0 Refresh messages 0 Authentication type configured: None Last keepalive received: 2012/03/06 19:19:37 Last keepalive sent : 2012/03/06 19:19:37 Last update received: 2012/03/06 19:19:43 Last update sent : 2012/03/06 19:19:37 Minimum route advertisement interval is 15 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled Connect-interface has been configured GTSM has been enabled, valid-ttl-hops: 1 Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the Established state.
- Configure GTSM on SwitchB and SwitchD. SwitchB and SwitchD are connected by SwitchC, so the range of the TTL value between the two switches is [254, 255]. The value of valid-ttl-hops is 2.
# Configure GTSM of the IBGP connection on SwitchB.
[SwitchB-bgp] peer 172.16.4.9 valid-ttl-hops 2# Configure GTSM on SwitchD.
[SwitchD-bgp] peer 172.16.2.9 valid-ttl-hops 2# Check the GTSM configuration.
[SwitchB] display bgp peer 172.16.4.9 verbose BGP Peer is 172.16.4.9, remote AS 20 Type: IBGP link BGP version 4, Remote router ID 172.16.4.9 Update-group ID : 1 BGP current state: Established, Up for 00h57m48s BGP current event: RecvKeepalive BGP last state: OpenConfirm BGP Peer Up count: 2 Received total routes: 0 Received active routes total: 0 Received mac routes: 0 Advertised total routes: 0 Port: Local - 53714 Remote - 179 Configured: Connect-retry Time: 32 sec Configured: Min Hold Time: 0 sec Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Peer supports bgp 4-byte-as capability Address family IPv4 Unicast: advertised and received Received: Total 72 messages Update messages 0 Open messages 1 KeepAlive messages 71 Notification messages 0 Refresh messages 0 Sent: Total 82 messages Update messages 10 Open messages 1 KeepAlive messages 71 Notification messages 0 Refresh messages 0 Authentication type configured: None Last keepalive received: 2012/03/06 19:20:37 Last keepalive sent : 2012/03/06 19:20:37 Last update received: 2012/03/06 19:20:43 Last update sent : 2012/03/06 19:20:37 Minimum route advertisement interval is 15 seconds Optional capabilities: Route refresh capability has been enabled 4-byte-as capability has been enabled Nexthop self has been configured Connect-interface has been configured GTSM has been enabled, valid-ttl-hops: 2 Peer Preferred Value: 0 Routing policy configured: No routing policy is configured
You can view that GTSM is configured, the valid hop count is 2, and the BGP connection is in the Established state.
In this example, if the value of valid-ttl-hops of either SwitchB or SwitchD is smaller than 2, the IBGP connection cannot be set up.
GTSM must be configured on the two ends of the BGP connection.
- Verify the configuration.
# Run the display gtsm statistics all command on SwitchB to check the GTSM statistics of SwitchB. By default, SwitchB does not discard any packet when all packets match the GTSM policy.
[SwitchB] display gtsm statistics all GTSM Statistics Table ---------------------------------------------------------------- SlotId Protocol Total Counters Drop Counters Pass Counters ---------------------------------------------------------------- 0 BGP 17 0 17 0 BGPv6 0 0 0 0 OSPF 0 0 0 0 LDP 0 0 0 0 OSPFv3 0 0 0 0 RIP 0 0 0 ----------------------------------------------------------------
If the host simulates the BGP packets of SwitchA to attack SwitchB, the packets are discarded because their TTL value is not 255 when reaching SwitchB. In the GTSM statistics of SwitchB, the number of dropped packets increases accordingly.
Configuration Files
SwitchA configuration file
# sysname SwitchA # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # bgp 10 router-id 172.16.1.9 peer 10.1.1.2 as-number 20 peer 10.1.1.2 valid-ttl-hops 1 # ipv4-family unicast undo synchronization peer 10.1.1.2 enable # return
SwitchB configuration file
# sysname SwitchB # vlan batch 10 20 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 # interface Vlanif20 ip address 10.2.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack0 ip address 172.16.2.9 255.255.255.255 # bgp 20 router-id 172.16.2.9 peer 172.16.3.9 as-number 20 peer 172.16.3.9 connect-interface LoopBack0 peer 172.16.3.9 valid-ttl-hops 1 peer 172.16.4.9 as-number 20 peer 172.16.4.9 connect-interface LoopBack0 peer 172.16.4.9 valid-ttl-hops 2 peer 10.1.1.1 as-number 10 peer 10.1.1.1 valid-ttl-hops 1 # ipv4-family unicast undo synchronization import-route ospf 1 peer 172.16.3.9 enable peer 172.16.3.9 next-hop-local peer 172.16.4.9 enable peer 172.16.4.9 next-hop-local peer 10.1.1.1 enable # ospf 1 area 0.0.0.0 network 172.16.2.9 0.0.0.0 network 10.2.1.0 0.0.0.255 # return
SwitchC configuration file
# sysname SwitchC # vlan batch 20 30 # interface Vlanif20 ip address 10.2.1.2 255.255.255.0 # interface Vlanif30 ip address 10.2.2.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 30 # interface LoopBack0 ip address 172.16.3.9 255.255.255.255 # bgp 20 router-id 172.16.3.9 peer 172.16.2.9 as-number 20 peer 172.16.2.9 connect-interface LoopBack0 peer 172.16.2.9 valid-ttl-hops 1 peer 172.16.4.9 as-number 20 peer 172.16.4.9 connect-interface LoopBack0 peer 172.16.4.9 valid-ttl-hops 1 # ipv4-family unicast undo synchronization peer 172.16.2.9 enable peer 172.16.4.9 enable # ospf 1 area 0.0.0.0 network 172.16.3.9 0.0.0.0 network 10.2.1.0 0.0.0.255 network 10.2.2.0 0.0.0.255 # return
SwitchD configuration file
# sysname SwitchD # vlan batch 30 # interface Vlanif30 ip address 10.2.2.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 30 # interface LoopBack0 ip address 172.16.4.9 255.255.255.255 # bgp 20 router-id 172.16.4.9 peer 172.16.2.9 as-number 20 peer 172.16.2.9 connect-interface LoopBack0 peer 172.16.2.9 valid-ttl-hops 2 peer 172.16.3.9 as-number 20 peer 172.16.3.9 connect-interface LoopBack0 peer 172.16.3.9 valid-ttl-hops 1 # ipv4-family unicast undo synchronization peer 172.16.2.9 enable peer 172.16.3.9 enable # ospf 1 area 0.0.0.0 network 172.16.4.9 0.0.0.0 network 10.2.2.0 0.0.0.255 # return