-
- Downstream Interface Configuration
- Upstream Interface Configuration
- DOCSIS Interface and Fiber Node Configuration
- DOCSIS Load Balancing Groups
- DOCSIS Load Balancing Movements
- DOCSIS 3.0 Downstream Bonding
- DOCSIS 2.0 A-TDMA Modulation Profiles
- Downstream Resiliency Bonding Group
- Downstream Channel ID Assignment
- Upstream Channel Bonding
- Spectrum Management and Advanced Spectrum Management
- Upstream Scheduler Mode
- Generic Routing Encapsulation
- Transparent LAN Service over Cable
- Downgrading Channel Bonding in Battery Backup Mode
- Energy Management Mode
-
- IP Access Control Lists
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Refining an IP Access List
- IP Named Access Control Lists
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- ACL IP Options Selective Drop
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 Template ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
-
- Call Home
- SNMP Support over VPNs—Context-Based Access Control
- SNMP Cache Engine Enhancement
- Onboard Failure Logging
- Control Point Discovery
- IPDR Streaming Protocol
- Usage-Based Billing (SAMIS)
- Frequency Allocation Information for the Cisco CMTS Routers
- Flap List Troubleshooting
- Maximum CPE and Host Parameters
- SNMP Background Synchronization
- Online Offline Diagnostics
- Index
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
- Information About Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
- Filtering Packets That Contain IP Options
- Filtering Packets That Contain TCP Flags
- Configuring an Access Control Entry with Noncontiguous Ports
- Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
- Filtering Packets Based on TTL Value
- Enabling Control Plane Policing to Filter on TTL Values 0 and 1
- Configuration Examples for Filtering IP Options, TCP Flags, Noncontiguous Ports
- Example: Filtering Packets That Contain IP Options
- Example: Filtering Packets That Contain TCP Flags
- Example: Creating an Access List Entry with Noncontiguous Ports
- Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports
- Example: Filtering on TTL Value
- Example: Control Plane Policing to Filter on TTL Values 0 and 1
- Additional References
- Feature Information for Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
This module describes how to use an IP access list to filter IP packets that contain certain IP Options, TCP flags, noncontiguous ports.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
Contents
- Hardware Compatibility Matrix for Cisco cBR Series Routers
- Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
- Information About Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
- Configuration Examples for Filtering IP Options, TCP Flags, Noncontiguous Ports
- Additional References
- Feature Information for Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
Hardware Compatibility Matrix for Cisco cBR Series Routers
![]() Note | The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified. |
Cisco CMTS Platform |
Processor Engine |
Interface Cards |
---|---|---|
Cisco cBR-8 Converged Broadband Router |
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 Supervisor:
|
Cisco IOS-XE Release 3.15.0S and Later Releases Cisco cBR-8 CCAP Line Cards: Cisco cBR-8 Downstream PHY Modules: Cisco cBR-8 Upstream PHY Modules: |
Prerequisites for Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
Before you perform any of the tasks in this module, you should be familiar with the information in the following modules:
Information About Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- IP Options
- Benefits of Filtering IP Options
- Benefits of Filtering on TCP Flags
- TCP Flags
- Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
- How Filtering on TTL Value Works
- Benefits of Filtering on TTL Value
IP Options
IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for time stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two formats:
Format 1: A single octet of option-type.
Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL: http://www.faqs.org/rfcs/rfc791.html
Benefits of Filtering IP Options
Filtering of packets that contain IP Options from the network relieves downstream devices and hosts of the load from options packets.
This feature also minimizes load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.
Benefits of Filtering on TCP Flags
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Previously, an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.
Because TCP packets can be sent as false synchronization packets that can be accepted by a listening port, it is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.
The ACEs that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have a very specific group of TCP flags set or not set. The ACL TCP Flags Filtering feature provides a greater degree of packet-filtering control in the following ways:
TCP Flags
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
TCP Flag |
Purpose |
---|---|
ACK |
Acknowledge flag—Indicates that the acknowledgment field of a segment specifies the next sequence number the sender of this segment is expecting to receive. |
FIN |
Finish flag—Used to clear connections. |
PSH |
Push flag—Indicates the data in the call should be immediately pushed through to the receiving user. |
RST |
Reset flag—Indicates that the receiver should delete the connection without further interaction. |
SYN |
Synchronize flag—Used to establish connections. |
URG |
Urgent flag—Indicates that the urgent field is meaningful and must be added to the segment sequence number. |
Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
This feature greatly reduces the number of access control entries (ACEs) required in an access control list to handle multiple entries for the same source address, destination address, and protocol. If you maintain large numbers of ACEs, use this feature to consolidate existing groups of access list entries wherever it is possible and when you create new access list entries. When you configure access list entries with noncontiguous ports, you will have fewer access list entries to maintain.
How Filtering on TTL Value Works
IP extended named and numbered access lists may filter on the TTL value of packets arriving at or leaving an interface. Packets with any possible TTL values 0 through 255 may be permitted or denied (filtered). Like filtering on other fields, such as source or destination address, the ip access-group command specifies in or out, which makes the access list ingress or egress and applies it to incoming or outgoing packets, respectively. The TTL value is checked in conjunction with the specified protocol, application, and any other settings in the access list entry, and all conditions must be met.
Special Handling for Packets with TTL Value of 0 or 1 Arriving at an Ingress Interface
The software switching paths—distributed Cisco Express Forwarding (dCEF), CEF, fast switching, and process switching—will usually permit or discard the packets based on the access list statements. However, when the TTL value of packets arriving at an ingress interface have a TTL of 0 or 1, special handling is required. The packets with a TTL value of 0 or 1 get sent to the process level before the ingress access list is checked in CEF, dCEF, or the fast switching paths. The ingress access list is applied to packets with TTL values 2 through 255 and a permit or deny decision is made.
Packets with a TTL value of 0 or 1 are sent to the process level because they will never be forwarded out of the device; the process level must check whether each packet is destined for the device and whether an Internet Control Message Protocol (ICMP) TTL Expire message needs to be sent back. This means that even if an ACL with TTL value 0 or 1 filtering is configured on the ingress interface with the intention to drop packets with a TTL of 0 or 1, the dropping of the packets will not happen in the faster paths. It will instead happen in the process level when the process applies the ACL. This is also true for hardware switching platforms. Packets with TTL value of 0 or 1 are sent to the process level of the route processor (RP) or Multilayer Switch Feature Card (MSFC).
On egress interfaces, access list filtering on TTL value works just like other access list features. The check will happen in the fastest switching path enabled in the device. This is because the faster switching paths handle all the TTL values (0 through 255) equally on the egress interface.
Control Plane Policing for Filtering TTL Values 0 and 1
The special behavior for packets with a TTL value of 0 or 1 results in higher CPU usage for the device. If you are filtering on TTL value of 0 or 1, you should use control plane policing (CPP) to protect the CPU from being overwhelmed. In order to leverage CPP, you must configure an access list especially for filtering TTL values 0 and 1 and apply the access list through CPP. This access list will be a separate access list from any other interface access lists. Because CPP works for the entire system, not just on individual interfaces, you would need to configure only one such special access list for the entire device. This task is described in the section "Enabling Control Plane Policing to Filter on TTL Values 0 and 1".
Benefits of Filtering on TTL Value
Filtering on time-to-live (TTL) value provides a way to control which packets are allowed to reach the device or are prevented from reaching the device. By looking at your network layout, you can choose whether to accept or deny packets from a certain device based on how many hops away it is. For example, in a small network, you can deny packets from a location more than three hops away. Filtering on TTL value allows you to validate if the traffic originated from a neighboring device. You can accept only packets that reach you in one hop, for example, by accepting only packets with a TTL value of one less than the initial TTL value of a particular protocol.
Many control plane protocols communicate only with their neighbors, but receive packets from everyone. By applying an access list that filters on TTL to receiving routers, you can block unwanted packets.
The Cisco software sends all packets with a TTL value of 0 or 1 to the process level. The device must then send an Internet Control Message Protocol (ICMP) TTL value expire message to the source. By filtering packets that have a TTL value of 0 through 2, you can reduce the load on the process level.
How to Create an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports
- Filtering Packets That Contain IP Options
- Filtering Packets That Contain TCP Flags
- Configuring an Access Control Entry with Noncontiguous Ports
- Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
- Filtering Packets Based on TTL Value
- Enabling Control Plane Policing to Filter on TTL Values 0 and 1
Filtering Packets That Contain IP Options
Complete these steps to configure an access list to filter packets that contain IP options and to verify that the access list has been configured correctly.
What to Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
![]() Note | To effectively eliminate all packets that contain IP Options, we recommend that you configure the global ip options drop command. |
Filtering Packets That Contain TCP Flags
This task configures an access list to filter packets that contain TCP flags and verifies that the access list has been configured correctly.
![]() Caution | If a device having ACEs with the new syntax format is reloaded with a previous version of the Cisco software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied, leading to possible security loopholes. |
Configuring an Access Control Entry with Noncontiguous Ports
Perform this task to create access list entries that use noncontiguous TCP or UDP port numbers. Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
![]() Note | The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be used only with named, extended ACLs. |
Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list entry.
Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
What To Do Next
Apply the access list to an interface or reference it from a command that accepts an access list.
Filtering Packets Based on TTL Value
Because access lists are very flexible, it is not possible to define only one combination of permit and deny commands to filter packets based on the TTL value. This task illustrates just one example that achieves TTL filtering. Configure the appropriate permit and deny statements that will accomplish your filtering plan.
![]() Note | When the access list specifies the operation EQ or NEQ, depending on the Cisco software release in use on the device, the access lists can specify up to ten TTL values. The number of TTL values can vary by the Cisco software release. |
Enabling Control Plane Policing to Filter on TTL Values 0 and 1
Perform this task to filter IP packets based on a TTL value of 0 or 1 and to protect the CPU from being overwhelmed. This task configures an access list for classification on TTL value 0 and 1, configures the Modular QoS Command-Line Interface (CLI) (MQC), and applies a policy map to the control plane. Any packets that pass the access list are dropped. This special access list is separate from any other interface access lists.
Because access lists are very flexible, it is not possible to define only one combination of permit and deny commands to filter packets based on the TTL value. This task illustrates just one example that achieves TTL filtering. Configure the appropriate permit and deny statements that will accomplish your filtering plan.
Configuration Examples for Filtering IP Options, TCP Flags, Noncontiguous Ports
- Example: Filtering Packets That Contain IP Options
- Example: Filtering Packets That Contain TCP Flags
- Example: Creating an Access List Entry with Noncontiguous Ports
- Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports
- Example: Filtering on TTL Value
- Example: Control Plane Policing to Filter on TTL Values 0 and 1
Example: Filtering Packets That Contain IP Options
The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:
ip access-list extended mylist2 10 permit ip any any option eool 20 permit ip any any option record-route 30 permit ip any any option zsu 40 permit ip any any option mtup
The show access-list command has been entered to show how many packets were matched and therefore permitted:
Device# show ip access-list mylist2 Extended IP access list test 10 permit ip any any option eool (1 match) 20 permit ip any any option record-route (1 match) 30 permit ip any any option zsu (1 match) 40 permit ip any any option mtup (1 match)
Example: Filtering Packets That Contain TCP Flags
The following access list allows TCP packets only if the TCP flags ACK and SYN are set and the FIN flag is not set:
ip access-list extended aaa permit tcp any any match-all +ack +syn -fin end
The show access-list command has been entered to display the ACL:
Device# show access-list aaa Extended IP access list aaa 10 permit tcp any any match-all +ack +syn -fin
Example: Creating an Access List Entry with Noncontiguous Ports
The following access list entry can be created because up to ten ports can be entered after the eq and neq operators:
ip access-list extended aaa permit tcp any eq telnet ftp any eq 23 45 34 end
Enter the show access-lists command to display the newly created access list entry.
Device# show access-lists aaa Extended IP access list aaa 10 permit tcp any eq telnet ftp any eq 23 45 34
Example: Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports
The show access-lists command is used to display a group of access list entries for the access list named abc:
Device# show access-lists abc Extended IP access list abc 10 permit tcp any eq telnet any eq 450 20 permit tcp any eq telnet any eq 679 30 permit tcp any eq ftp any eq 450 40 permit tcp any eq ftp any eq 679
Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:
ip access-list extended abc no 10 no 20 no 30 no 40 permit tcp any eq telnet ftp any eq 450 679 end
When the show access-lists command is reentered, the consolidated access list entry is displayed:
Device# show access-lists abc Extended IP access list abc 10 permit tcp any eq telnet ftp any eq 450 679
Example: Filtering on TTL Value
The following access list filters IP packets containing type of service (ToS) level 3 with time-to-live (TTL) values 10 and 20. It also filters IP packets with a TTL greater than 154 and applies that rule to noninitial fragments. It permits IP packets with a precedence level of flash and a TTL value not equal to 1, and it sends log messages about such packets to the console. All other packets are denied.
ip access-list extended incomingfilter deny ip any any tos 3 ttl eq 10 20 deny ip any any ttl gt 154 fragments permit ip any any precedence flash ttl neq 1 log ! interface TenGigabitEthernet4/1/0
ip access-group incomingfilter in
Example: Control Plane Policing to Filter on TTL Values 0 and 1
The following example configures a traffic class called acl-filter-class for use in a policy map called acl-filter. An access list permits IP packets from any source having a time-to-live (TTL) value of 0 or 1. Any packets matching the access list are dropped. The policy map is attached to the control plane.
ip access-list extended ttlfilter
permit ip any any ttl eq 0 1
class-map acl-filter-class
match access-group name ttlfilter
policy-map acl-filter
class acl-filter-class
drop
control-plane
service-policy input acl-filter
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Cisco IOS Security Command Reference |
Configuring the device to drop or ignore packets containing IP Options by using the no ip options command. |
“ACL IP Options Selective Drop” |
Overview information about access lists. |
“IP Access List Overview” |
Information about creating an IP access list and applying it to an interface |
“Creating an IP Access List and Applying It to an Interface” |
QoS commands |
Cisco IOS Quality of Service Solutions Command Reference |
RFCs
RFC |
Title |
---|---|
RFC 791 |
Internet Protocol http://www.faqs.org/rfcs/rfc791.html http://www.faqs.org/rfcs/rfc791.html |
RFC 793 |
Transmission Control Protocol |
RFC 1393 |
Traceroute Using an IP Option |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/. An account on http://www.cisco.com/ is not required.
![]() Note | The below table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. |
Feature Name |
Releases |
Feature Information |
---|---|---|
IP Access Lists |
Cisco IOS-XE Release 3.15.0S |
This feature was introduced on the Cisco cBR Series Converged Broadband Routers. |