gtsm log drop-packet
Function
The gtsm log drop-packet command enables the log function on the slot. The information that GTSM drops packets is recorded in the log.
The undo gtsm log drop-packet command disables the log function on the slot.
By default, the information that GTSM drops packets is not recorded in the log.
Usage Guidelines
On the AC, the gtsm log drop-packet command can enable the log function only on the MPU, but not on LPUs.
Usage Scenario
For a network demanding higher security, you can configure Generalized TTL Security Mechanism (GTSM) to improve the security of the OSPF network. GTSM defends against attacks by checking the Time-to-Live (TTL) value. If an attacker simulates real OSPF packets and keeps sending them to a device, an interface board on the device receives the packets and directly sends them to the main control board for BGP processing, without checking the validity of the packets. In this case, the device is busy in processing these packets, causing high usage of the CPU. GTSM function protects the device by checking whether the TTL value in the IP packet header is in a pre-defined range to improve the system security.
GTSM only checks the TTL values of the packets that match the GTSM policy. The packets that do not match the GTSM policy can be allowed or dropped by using the gtsm default-action command.
You can also enable the log function by using the gtsm log drop-packet command to record the information about dropped packets for further fault location.
Prerequisites
Run the gtsm default-action drop command to drop packets before the log function is enabled.
