270
1. Enter system view.
system-view
N/A
2. Enter BGP instance view or
BGP-VPN instance view.
• Enter BGP instance view:
bgp as-number [ instance
instance-name ]
• Enter BGP-VPN instance
view:
a. bgp as-number
[ instance
instance-name ]
b. ip vpn-instance
N/A
3. Disable BGP to establish a
session to a peer or peer
group.
peer
{ group-name | ipv6-address
[ prefix-length ] }
ignore
By default, BGP can establish a
session to a peer.
Configuring GTSM for BGP
The Generalized TTL Security Mechanism (GTSM) protects a BGP session by comparing the TTL
value in the IP header of incoming BGP packets against a valid TTL range. If the TTL value is within
the valid TTL range, the packet is accepted. If not, the packet is discarded.
The valid TTL range is from 255 – the configured hop count + 1 to 255.
When GTSM is configured, the BGP packets sent by the device have a TTL of 255.
GTSM provides best protection for directly connected EBGP sessions, but not for multihop EBGP or
IBGP sessions because the TTL of packets might be modified by intermediate devices.
When GTSM is configured, the local device can establish an EBGP ses
sion to the peer after both
devices pass GTSM check, regardless of whether the maximum number of hops is reached.
To use GTSM, you must configure GTSM on both the local and peer devices. You can specify
different hop-count values for them.
To configure GTSM for BGP (IPv4 unicast/multicast address family):
1. Enter system view.
system-view
N/A
2. Enter BGP instance view or
BGP-VPN instance view.
• Enter BGP instance view:
bgp as-number [ instance
instance-name ]
• Enter BGP-VPN instance
view:
a. bgp as-number [ instance
instance-name ]
b. ip vpn-instance
N/A
3. Configure GTSM for the
specified BGP peer or peer
group.
peer
{ group-name | ipv4-address
[ mask-length ] }
ttl-security hops
hop-count
By default, GTSM is disabled.
To configure GTSM for BGP (IPv6 unicast/multicast address family):
To Next Page
Loading...
Need help?
General