The document provides instructions for configuring a Huawei router to deny IP traffic with a time-to-live (TTL) value under 16 by: 1) deleting the default flow template and applying a new one containing TTL to an interface; 2) defining an access control list (ACL) with rules to deny IP traffic with TTL from 1 to 15 and permit all other IP traffic; and 3) applying the ACL to the interface. The document notes that denying low TTL may drop routing protocol packets and alternative rules using DSCP or TOS are recommended to ensure normal routing.
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
ttl expired acl
1. Dear Jonathan,
As per our recent conversation o the fone, find below the huawei ACL command which deny all
Ip that TTL is under 16.
For any support, feel free to contact me
step1. delete the default flow-template and apply a new one on the slot.
dis flow-template user-defined #you will see default flow-template applied on every slot.
undo flow-template user-defined slot 4 #delete the default one
flow-template user-defined slot 4 ip-protocol tcp-flag sport dport sip 0.0.0.0 dip 0.0.0.0 ttl
#define a new one contains ttl.
int g4/1/1
flow-template user-defined # apply this template on the interface.
step2. define an ACL which has the same function as cisco.
#
acl name deny-low-ttl advanced
rule 1 deny ip ttl 1
rule 2 deny ip ttl 2
rule 3 deny ip ttl 3
rule 4 deny ip ttl 4
rule 5 deny ip ttl 5
rule 6 deny ip ttl 6
rule 7 deny ip ttl 7
rule 8 deny ip ttl 8
rule 9 deny ip ttl 9
rule 10 deny ip ttl 10
rule 11 deny ip ttl 11
rule 12 deny ip ttl 12
rule 13 deny ip ttl 13
rule 14 deny ip ttl 14
rule 15 deny ip ttl 15
rule 16 permit ip
2. step3. apply the ACL on the interface.
int g4/1/1
packet-filter inbound ip-group deny-low-ttl
PS:
deny low ttl will drop the routing protocol multicast packets , you'd better define rules to make
sure the routing protocol running normal. I think you can define the rule with dscp or tos.