gtsm default-action

Usage Scenario

For a network demanding high security, you can configure Generalized TTL Security Mechanism (GTSM) to improve the security of the OSPF network. GTSM defends against attacks by checking the Time-to-Live (TTL) value. If an attacker simulates real OSPF packets and keeps sending them to a switch, a switch receives the packets and directly sends them to the main control board for OSPF processing, without checking the validity of the packets. In this case, the switch is busy in processing these packets, causing high usage of the CPU. GTSM function protects the switch by checking whether the TTL value in the IP packet header is in a pre-defined range to improve the system security.

GTSM only checks the TTL values of the packets that match the GTSM policy. The packets that do not match the GTSM policy can pass the filtering using the undo gtsm default-action drop command or using the gtsm default-action command to set the pass parameter, or be dropped after the gtsm default-action command is run to set the drop parameter.

Configuration Impact

If the default action to be taken on GTSM packets is drop, the connection cannot be established by the switch. Therefore, GTSM improves security but reduces the ease of use.

Precautions

You can enable the log function by using the gtsm log drop-packet command to record the information about dropped packets for further fault location.

If you configure the default action by using the gtsm default-action command but not configure GTSM policy (the drop or pass parameter), GTSM does not take effect.