The rip valid-ttl-hops command enables the RIP GTSM functions and sets the TTL value to be detected.
The undo rip valid-ttl-hops command cancels the function.
By default, the RIP GTSM functions are disabled.
rip valid-ttl-hops valid-ttl-hops-value [ vpn-instance vpn-instance-name ]
undo rip valid-ttl-hops [ valid-ttl-hops-value ] [ vpn-instance vpn-instance-name ]
| Parameter | Description | Value |
|---|---|---|
| valid-ttl-hops-value | Specifies the number of TTL hops to be detected. The valid TTL range of the detected packets is [ 255 -valid-ttl-hops-value + 1, 255 ]. |
The value is an integer ranging from 1 to 255. |
| vpn-instance vpn-instance-name | Specifies the name of the VPN instance. If this parameter is used, you need only to specify the TTL value to be detected by the VPN instance. |
The value must be an existing VPN instance name. |
Usage Scenario
In a network demanding higher security, you can enable GTSM to improve the security of the RIP network. GTSM defends against attacks by checking the TTL value. If an attacker simulates RIP unicast packets and keeps sending them to a switch, a switch receives the packets and directly sends them to the main control board for RIP processing, without checking the validity of the packets. In this case, the switch is busy processing these packets, causing high usage of the CPU. GTSM protects the routers and enhances the system security by checking whether the TTL value in the IP packet header is in a pre-defined range.
The rip valid-ttl-hops command is used to enable RIP GTSM.
Precautions
GTSM configurations must be symmetrical. That is, GTSM must be enabled on devices at both ends.
If GTSM is enabled on a device, after the device receives a RIP packet, it checks whether the TTL value in the packet is in a pre-defined range. If the TTL value is beyond the pre-defined range, the device considers the packet as an attack packet and discards it.