[x]

BGP commands > peer ttl-security

 

 Next

peer ttl-security

Use peer ttl-security to configure Generalized TTL Security Mechanism (GTSM) for a BGP peer or peer group.

Use undo peer ttl-security to disable BGP GTSM for a peer or peer group.

Syntax

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ttl-security hops hop-count

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ttl-security hops

Default

GTSM is disabled for BGP.

Views

BGP instance view

BGP-VPN instance view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have been created.

ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and mask-length arguments together to specify a subnet. If you specify a subnet, this command configures GTSM for all dynamic peers in the subnet.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and prefix-length arguments together to specify a subnet. If you specify a subnet, this command configures GTSM for all dynamic peers in the subnet.

hops hop-count: Specifies the maximum number of hops to the specified peer, in the range of 1 to 254.

Usage guidelines

GTSM protects a BGP session by comparing the TTL value of an incoming IP packet against the valid TTL range. If the TTL value is within the valid TTL range, the packet is accepted. If not, the packet is discarded.

The valid TTL range is from 255 – the configured hop count + 1 to 255.

When GTSM is configured, the BGP packets sent by the device have a TTL of 255.

When GTSM is configured, the local device can establish an EBGP session to the peer after they pass GTSM check, regardless of whether the maximum number of hops is reached.

To use GTSM, you must configure GTSM on both the local and peer devices. You can specify different hop-count values for them.

Examples

# In BGP instance view, enable GTSM for BGP peer group test and set the maximum number of hops to the specified peer in the peer group to 1. 

<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] peer test ttl-security hops 1

Related commands

peer ebgp-max-hop

prev

 

up

 next

peer timer connect-retry 

home

 pic

© Copyright 2018 Hewlett Packard Enterprise Development LP