No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Unicast Routing

S1720, S2700, S5700, and S6720 V200R011C10

This document describes IP Unicast Routing configurations supported by the switch, including the principle and configuration procedures of IP Routing Overview, Static Route, RIP, RIPng, OSPF, OSPFv3, IS-IS(IPv4), IS-IS(IPv6), BGP, Routing Policy ,and PBR, and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the OSPF GTSM Functions

Configuring the OSPF GTSM Functions

Context

The Generalized TTL Security Mechanism (GTSM) function protects the switch by checking whether the TTL value in an IP packet header is in a pre-defined range to improve system security.

To apply GTSM functions, enable GTSM on the two ends of the OSPF connection.

The valid TTL range of the detected packets is [255 -hops + 1, 255].

GTSM checks the TTL value of only the packets that match the GTSM policy. For the packets that do not match the GTSM policy, you can set them as "pass" or "drop". If the GTSM default action performed on the packet is set as "drop", you need to configure all the switch connections for GTSM. If the packets sent from a switch do not match the GTSM policy, they are dropped. The connection thus cannot be established. This ensures security but reduces the ease of use.

You can enable the log function to record information about dropped packets. This information facilitates fault location.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ospf valid-ttl-hops hops [ nonstandard-multicast ] [ vpn-instance vpn-instance-name ]

    OSPF GTSM functions are configured.

    NOTE:

    The ospf valid-ttl-hops command has two functions:

    • Enabling OSPF GTSM

    • Configuring the TTL value to be detected

    The parameter vpn-instance is valid only for the latter function.

    Thus, if only the private network policy or the public network policy is configured, it is recommended to set the default action performed on the packets that do not match the GTSM policy as pass. This prevents the OSPF packets of other processes from being discarded incorrectly.

  3. (Optional) Run gtsm default-action { drop | pass }

    The default action performed on the packets that do not match the GTSM policy is set.

    By default, the packets that do not match the GTSM policy can pass the filtering criteria.

    NOTE:

    If the default action is configured but the GTSM policy is not configured, GTSM does not take effect.

  4. (Optional) Run gtsm log drop-packet all

    The log function is enabled on the device in the system view. The information about the packets dropped by GTSM is recorded in the log.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178171

Views: 330346

Downloads: 1146

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next