Example for Configuring LDP GTSM
Networking Requirements
On an MPLS network shown in Figure 3-36, MPLS and MPLS LDP run between every two nodes. Attackers may simulate LDP unicast packets and send the packets to LSRB. LSRB becomes busy processing these packets, causing high CPU usage. The preceding problems need to be addressed to protect nodes and enhance system security.
Configuration Roadmap
To meet the preceding requirements, configure LDP GTSM. The configuration roadmap is as follows:
Configure the LDP GTSM function on LSRs and set the TTL range.
Procedure
- Configure IP addresses for interfaces.
# Configure LSRA. The configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not mentioned here.
<Huawei> system-view [Huawei] sysname LSRA [LSRA] interface loopback 0 [LSRA-LoopBack0] ip address 10.10.1.1 32 [LSRA-LoopBack0] quit [LSRA] interface gigabitethernet 1/0/0 [LSRA-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [LSRA-GigabitEthernet1/0/0] quit
- Configure OSPF to advertise the network segments connecting to interfaces on each node and to advertise the routes of hosts with LSR IDs.
# Configure LSRA. The configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not mentioned here.
[LSRA] ospf 1 [LSRA-ospf-1] area 0 [LSRA-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0 [LSRA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [LSRA-ospf-1-area-0.0.0.0] quit [LSRA-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on each node, and you can view that the nodes learn routes from each other.
- Configure an LDP LSP.
# Configure LSRA. The configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not mentioned here.
[LSRA] mpls lsr-id 10.10.1.1 [LSRA] mpls [LSRA-mpls] quit [LSRA] mpls ldp [LSRA-mpls-ldp] quit [LSRA] interface gigabitethernet 1/0/0 [LSRA-GigabitEthernet1/0/0] mpls [LSRA-GigabitEthernet1/0/0] mpls ldp [LSRA-GigabitEthernet1/0/0] quit
# After the configuration is complete, run the display mpls ldp session command. The command output shows that the status of local LDP sessions between LSRA and LSRB and between LSRB and LSRC is Operational.
- Configure LDP GTSM.
# On LSRA, configure the TTL values carried in LDP packets received from LSRB to range from 253 to 255.
[LSRA] mpls ldp [LSRA-mpls-ldp] gtsm peer 10.10.1.2 valid-ttl-hops 3 [LSRA-mpls-ldp] quit
# On LSRB, configure the TTL values carried in the LDP packets received from LSRA to range from 252 to 255, and the TTL values carried in LDP packets received from LSRC to range from 251 to 255.
[LSRB] mpls ldp [LSRB-mpls-ldp] gtsm peer 10.10.1.1 valid-ttl-hops 4 [LSRB-mpls-ldp] gtsm peer 10.10.1.3 valid-ttl-hops 5 [LSRB-mpls-ldp] quit
# On LSRC, configure the TTL values carried in LDP packets received from LSRB to range from 250 to 255.
[LSRC] mpls ldp [LSRC-mpls-ldp] gtsm peer 10.10.1.2 valid-ttl-hops 6 [LSRC-mpls-ldp] quit
If a host simulates the LDP packets of LSRA to attack LSRB, LSRB directly discards the packets because the TTL values carried in the LDP packets are beyond the range of 252 to 255. In the GTSM statistics on LSRB, the number of discarded packets increases.
Configuration Files
LSRA configuration file
# sysname LSRA # mpls lsr-id 10.10.1.1 mpls # mpls ldp gtsm peer 10.10.1.2 valid-ttl-hops 3 # interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.252 mpls mpls ldp # interface LoopBack0 ip address 10.10.1.1 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.10.1.1 0.0.0.0 network 10.1.1.0 0.0.0.3 # returnLSRB configuration file
# sysname LSRB # mpls lsr-id 10.10.1.2 mpls # mpls ldp gtsm peer 10.10.1.1 valid-ttl-hops 4 gtsm peer 10.10.1.3 valid-ttl-hops 5 # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.252 mpls mpls ldp # interface GigabitEthernet2/0/0 ip address 10.2.1.1 255.255.255.252 mpls mpls ldp # interface LoopBack0 ip address 10.10.1.2 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.10.1.2 0.0.0.0 network 10.1.1.0 0.0.0.3 network 10.2.1.0 0.0.0.3 # return
LSRC configuration file
# sysname LSRC # mpls lsr-id 10.10.1.3 mpls # mpls ldp gtsm peer 10.10.1.2 valid-ttl-hops 6 # interface GigabitEthernet1/0/0 ip address 10.2.1.2 255.255.255.252 mpls mpls ldp # interface LoopBack0 ip address 10.10.1.3 255.255.255.255 # ospf 1 area 0.0.0.0 network 10.10.1.3 0.0.0.0 network 10.2.1.0 0.0.0.3 # return