R3303-HP HSR6800 Routers Layer 3 - IP Routing Configuration Guide
233
Step Command Remarks
2. Enter BGP view or BGP-VPN
instance view.
• Enter BGP view:
bgp as-number
• Enter BGP-VPN instance view:
a. bgp as-number
b. ipv4-family vpn-instance
vpn-instance-name
Use either method.
3. Forbid session establishment
with a peer or peer group.
peer { group-name | ip-address }
ignore
Not forbidden by default.
Configuring GTSM for BGP
If an attacker continuously sends forged BGP packets to a device, the device directly delivers these
packets to the CPU without checking their validity. As a result, the CPU utilization is very high. You can
configure the Generalized TTL Security Mechanism (GTSM) to avoid such CPU-utilization based attacks.
The GTSM feature allows you to configure a hop-count value to get a valid TTL range—255-hop-count+1
to 255. Upon receiving a packet from the specified peer, the device checks whether the TTL in the IP
header falls into the specified range. If yes, the packet is delivered to the CPU; otherwise, the packet is
discarded.
In addition, with GTSM configured, the device sends packets with TTL 255. Therefore, GTSM provides the
best protection for directly connected EBGP peers because the TTL of packets exchanged between
non-direct EBGP peers or IBGP peers can be modified by other devices.
IMPORTANT:
• The peer ttl-security hops command and the peer ebgp-max-hop command are mutually exclusive.
• You must configure GTSM on both the local and peer devices, and you can specify different
hop-coun
t
values in a valid range for them.
To configure GTSM for BGP:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter BGP view or BGP-VPN
instance view.
• Enter BGP view:
bgp as-number
• Enter BGP-VPN instance view:
a. bgp as-number
b. ipv4-family vpn-instance
vpn-instance-name
Use either method.
3. Configure GTSM to check
BGP packets from the
specified BGP peer or peer
group.
peer { group-name | ip-address }
ttl-security hops hop-count
Not configured by default.