R3303-HP 6600/HSR6600 Routers Layer 3 - IP Routing Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

241

242

243

244

245

246

247

248

249

250

233

Step Command Remarks

2. Enter BGP view or BGP-VPN

instance view.

• Enter BGP view:

bgp as-number

• Enter BGP-VPN instance view:

a. bgp as-number

b. ipv4-family vpn-instance

vpn-instance-name

Use either method.

3. Configure the maximum

number of BGP routes for load

balancing.

balance [ ebgp | ibgp ] number

By default, load balancing is not

enabled.

Forbidding session establishment with a peer or peer group

This task allows you to temporarily tear down the BGP session to a specific peer or peer group. To recover

the session, execute the undo peer ignore command. In this way, you can implement network upgrade

and maintenance without deleting and then configuring the peer or peer group.

To forbid session establishment with a peer or peer group:

Step Command Remarks

1. Enter system view.

system-view N/A

2. Enter BGP view or BGP-VPN

instance view.

• Enter BGP view:

bgp as-number

• Enter BGP-VPN instance view:

a. bgp as-number

b. ipv4-family vpn-instance

vpn-instance-name

Use either method.

3. Forbid session establishment

with a peer or peer group.

peer { group-name | ip-address }

ignore

Not forbidden by default.

Configuring GTSM for BGP

If an attacker continuously sends forged BGP packets to a device, the device directly delivers these

packets to the CPU without checking their validity. As a result, the CPU utilization is very high. You can

configure the Generalized TTL Security Mechanism (GTSM) to avoid such CPU-utilization based attacks.

The GTSM feature allows you to configure a hop-count value to get a valid TTL range—255-hop-count+1

to 255. Upon receiving a packet from the specified peer, the device checks whether the TTL in the IP

header falls into the specified range. If yes, the packet is delivered to the CPU; otherwise, the packet is

discarded.

In addition, with GTSM configured, the device sends packets with TTL 255. Therefore, GTSM provides the

best protection for directly connected EBGP peers because the TTL of packets exchanged between

non-direct EBGP peers or IBGP peers can be modified by other devices.