< Home

ospfv3 valid-ttl-hops

Function

The ospfv3 valid-ttl-hops command enables OSPFv3 GTSM and sets a TTL value.

The undo ospfv3 valid-ttl-hops command disables OSPFv3 GTSM.

By default, OSPFv3 GTSM is disabled.

Format

ospfv3 valid-ttl-hops valid-ttl-hops-value [ vpn-instance vpn-instance-name ]

undo ospfv3 valid-ttl-hops [ valid-ttl-hops-value ] [ vpn-instance vpn-instance-name ]

Parameters

Parameter Description Value
valid-ttl-hops-value Specifies a TTL. The value is an integer ranging from 1 to 255.
vpn-instance vpn-instance-name Indicates the name of a VPN instance. If this parameter is specified, only the TTL values of the packets in the specified VPN instance are checked. The value must be an existing VPN instance name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an OSPFv3 network requires high security, you can configure OSPFv3 GTSM and an authentication mode to improve network security. During network attacks, attackers may simulate OSPFv3 packets and continuously send them to a device. If the packets are destined for the device, it directly sends them to the control plane for processing without validating them. As a result, the increased processing workload on the control plane results in high CPU usage. GTSM protects devices against potential attacks and improves system security by checking whether the TTL value in each IP packet header is within a pre-defined range.

To enable OSPFv3 GTSM, run the ospfv3 valid-ttl-hops. To check the TTL values of packets that match a GTSM policy in a specified VPN instance, specify vpn-instance in the command.

The ospfv3 valid-ttl-hops command enables OSPFv3 GTSM on both the public network and VPNs. For example, if you run the ospfv3 valid-ttl-hops 5 vpn-instance vpn1 command, OSPFv3 GTSM takes effect on both the public network and VPN 1, the TTL values of the OSPFv3 packets in the VPN 1 are checked, and the default action is performed on the packets that fail to match the GTSM policy.

Follow-up Procedure

GTSM checks the TTL values of only the packets that match a GTSM policy. For packets that do not match the GTSM policy, you can specify pass in the gtsm default-action command to allow these packets to pass the filtering or specify drop in the command to discard them.

Precautions

  • If a VPN instance is specified in the ospfv3 valid-ttl-hops command and an interface is bound to the VPN instance, the interface discards all received unicast packets if the set TTL value is less than the actual hop count on the network.
  • If a virtual link or sham link is deployed, configure a TTL value based on the actual hop count on the network (the number of routers through which the virtual link or sham link passes) to prevent the local switch from discarding packets from neighbors over the virtual link or sham link.
  • Therefore, if you want to apply the configured TTL value to packets only in a VPN or the public network, specify pass in the gtsm default-action command to prevent the OSPFv3 packets in other instances from being discarded incorrectly.

Example

# Enable OSPFv3 GTSM and set the maximum number of TTL hops to 5 for the packets that can be received from the public network.

<HUAWEI> system-view
[HUAWEI] ospfv3 valid-ttl-hops 5
Parent Topic: OSPFv3 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >