Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3E
ACL Support for Filtering IP Options
Downloads: This chapterpdf (PDF - 1.18MB) The complete bookPDF (PDF - 2.33MB) | The complete bookePub (ePub - 189.0KB) | Feedback

ACL Support for Filtering IP Options

ACL Support for Filtering IP Options

The ACL Support for Filtering IP Options feature describes how to use an IP access list to filter IP packets that contain IP options to prevent devices from becoming saturated with spurious packets.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for ACL Support for Filtering IP Options

Before you configure the ACL Support for Filtering IP Options feature, you must understand the concepts of the IP access lists.

Information About ACL Support for Filtering IP Options

IP Options

IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header Checksum.

The Options, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for time stamps, security, and special routing.

IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.

The option field is variable in length. There may be zero or more options. IP Options can have one of two formats:

  • Format 1: A single octet of option-type.
  • Format 2: An option-type octet, an option-length octet, and the actual option-data octets.

The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.

The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.

For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL: http://www.faqs.org/rfcs/rfc791.html

Benefits of Filtering IP Options

  • Filtering of packets that contain IP Options from the network relieves downstream devices and hosts of the load from options packets.
  • This feature also minimizes load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.

How to Configure ACL Support for Filtering IP Options

Filtering Packets That Contain IP Options

Complete these steps to configure an access list to filter packets that contain IP options and to verify that the access list has been configured correctly.


Note


  • The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.
  • Resource Reservation Protocol (RSVP) Multiprotocol Label Switching Traffic Engineering (MPLS TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP options packets may not function in drop or ignore mode if this feature is configured.
  • On most Cisco devices, a packet with IP options is not switched in hardware, but requires control plane software processing (primarily because there is a need to process the options and rewrite the IP header), so all IP packets with IP options will be filtered and switched in software.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip access-list extended access-list-name

    4.    [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

    5.    [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

    6.    Repeat Step 4 or Step 5 as necessary.

    7.    end

    8.    show ip access-lists access-list-name


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip access-list extended access-list-name


    Example:
    Device(config)# ip access-list extended mylist1
     

    Specifies the IP access list by name and enters named access list configuration mode.

     
    Step 4 [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

    Example:
    Device(config-ext-nacl)# deny ip any any option traceroute
     

    (Optional) Specifies a deny statement in named IP access list mode.

    • This access list happens to use a denystatement first, but a permit statement could appear first, depending on the order of statements you need.
    • Use the option keyword and option-value argument to filter packets that contain a particular IP Option.
    • In this example, any packet that contains the traceroute IP option will be filtered out.
    • Use the no sequence-number form of this command to delete an entry.
     
    Step 5 [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

    Example:
    Device(config-ext-nacl)# permit ip any any option security
     

    Specifies a permit statement in named IP access list mode.

    • In this example, any packet (not already filtered) that contains the security IP option will be permitted.
    • Use the no sequence-number form of this command to delete an entry.
     
    Step 6 Repeat Step 4 or Step 5 as necessary.  

    Allows you to revise the access list.

     
    Step 7 end


    Example:
    Device(config-ext-nacl)# end
     

    (Optional) Exits named access list configuration mode and returns to privileged EXEC mode.

     
    Step 8 show ip access-lists access-list-name


    Example:
    Device# show ip access-lists mylist1
     

    (Optional) Displays the contents of the IP access list.

     

    Configuration Examples for ACL Support for Filtering IP Options

    Example: Filtering Packets That Contain IP Options

    The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:

    ip access-list extended mylist2
     10 permit ip any any option eool
     20 permit ip any any option record-route
     30 permit ip any any option zsu
     40 permit ip any any option mtup
    

    The show access-list command has been entered to show how many packets were matched and therefore permitted:

    Device# show ip access-list mylist2
    Extended IP access list test
    10 permit ip any any option eool (1 match)
    20 permit ip any any option record-route (1 match)
    30 permit ip any any option zsu (1 match)
    40 permit ip any any option mtup (1 match)

    Additional References for ACL Support for Filtering IP Options

    Related Documents

    Table 1 Standards and RFCs

    Standards/RFCs

    Title

    RFC 791

    Internet Protocol

    RFC 793

    Transmission Control Protocol

    RFC 1393

    Traceroute Using an IP Option

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for ACL Support for Filtering IP Options

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 2 Feature Information for ACL Support for Filtering IP Options

    Feature Name

    Releases

    Feature Information

    ACL Support for Filtering IP Options

    Cisco IOS XE Release 3.5E

    The ACL Support for Filtering IP Options feature describes how to use an IP access list to filter IP packets that contain IP options to prevent devices from becoming saturated with spurious packets.