Configuring the Switch to Discard IP Packets With Expired TTL
Context
TTL is a field in an IP packet that limits the lifespan of the IP packet on the network. The TTL value is set by the sender, and is reduced by 1 every time the packet passes a device. If a forwarding device receives an IP packet of which the TTL is 0 and the destination address is not the local address, the device discards this packet.
If a device receives many IP packets with TTL value 1, the device may undergo an attack. In this situation, you can enable the device to discard the IP packets with expired TTL. Then the device discards the packets with TTL value 1, but does not send them to the CPU.
Procedure
- Run system-view
The system view is displayed.
- Run ip ttl-expired drop
The switch is configured to discard IP packets with expired TTL.
By default, the function of discarding IP packets with expired TTL is disabled.
Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.
After the ip ttl-expired drop command is run, some packets that have the TTL value 1 but need to be processed by the CPU are also discarded. Therefore, after the attack is removed, run the undo ip ttl-expired drop command to disable the device from discarding the IP packets with expired TTL.