Configuring GTSM for BGP

IMPORTANT:

When GTSM is configured, the local device can establish an EBGP session with the peer after both devices pass GTSM check, regardless of whether the maximum number of hops is reached.
To use GTSM, you must configure GTSM on both the local and peer devices. You can specify different hop-count values for them.

The Generalized TTL Security Mechanism (GTSM) protects a BGP session by comparing the TTL value in the IP header of incoming BGP packets against a valid TTL range. If the TTL value is within the valid TTL range, the packet is accepted. If not, the packet is discarded.

The valid TTL range is from 255 – the configured hop count + 1 to 255.

When GTSM is configured, the BGP packets sent by the device have a TTL of 255.

GTSM provides best protection for directly connected EBGP sessions, but not for multihop EBGP or IBGP sessions because the TTL of packets might be modified by intermediate devices.

To configure GTSM for BGP (IPv4 unicast/multicast address family):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view or BGP-VPN instance view.	Enter BGP view:bgp as-number Enter BGP-VPN instance view: bgp as-number ip vpn-instance vpn-instance-name	N/A
3. Configure GTSM for the specified BGP peer or peer group.	peer { group-name \| ip-address [ mask-length ] } ttl-security hops hop-count	By default, GTSM is not configured.

To configure GTSM for BGP (IPv6 unicast/multicast address family):

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter BGP view or BGP-VPN instance view.	Enter BGP view:bgp as-number Enter BGP-VPN instance view: bgp as-number ip vpn-instance vpn-instance-name	N/A
3. Configure GTSM for the specified BGP peer or peer group.	peer { group-name \| ipv6-address [ prefix-length ] } ttl-security hops hop-count	By default, GTSM is not configured.

prev	up	next
Disabling BGP to establish a session to a peer or peer group	home	Configuring BGP soft-reset