- Commented IP Access List Entries
- Configuring an FQDN ACL
- IP Access List Entry Sequence Numbering
- ACL Support for Filtering IP Options
- Creating an IP Access List to Filter TCP Flags
- Named ACL Support for Noncontiguous Ports on an Access Control Entry
- Object Groups for ACLs
- IP Named Access Control Lists
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- Standard IP Access List Logging
- IPv6 Services—Standard Access Control Lists
- Finding Feature Information
- Prerequisites for ACL Support for Filtering IP Options
- Information About ACL Support for Filtering IP Options
- How to Configure ACL Support for Filtering IP Options
- Configuration Examples for ACL Support for Filtering IP Options
- Additional References for ACL Support for Filtering IP Options
- Feature Information for ACL Support for Filtering IP Options
ACL Support for Filtering IP Options
The ACL Support for Filtering IP Options feature describes how to use an IP access list to filter IP packets that contain IP options to prevent devices from becoming saturated with spurious packets.
- Finding Feature Information
- Prerequisites for ACL Support for Filtering IP Options
- Information About ACL Support for Filtering IP Options
- How to Configure ACL Support for Filtering IP Options
- Configuration Examples for ACL Support for Filtering IP Options
- Additional References for ACL Support for Filtering IP Options
- Feature Information for ACL Support for Filtering IP Options
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for ACL Support for Filtering IP Options
Before you configure the ACL Support for Filtering IP Options feature, you must understand the concepts of the IP access lists.
Information About ACL Support for Filtering IP Options
IP Options
IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for time stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two formats:
Format 1: A single octet of option-type.
Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL: http://www.faqs.org/rfcs/rfc791.html
Benefits of Filtering IP Options
Filtering of packets that contain IP Options from the network relieves downstream devices and hosts of the load from options packets.
This feature also minimizes load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents them from impacting the RP.
How to Configure ACL Support for Filtering IP Options
Filtering Packets That Contain IP Options
Complete these steps to configure an access list to filter packets that contain IP options and to verify that the access list has been configured correctly.
1.
enable
2.
configure
terminal
3.
ip
access-list
extended
access-list-name
4. [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary.
7.
end
8.
show
ip
access-lists
access-list-name
DETAILED STEPS
Configuration Examples for ACL Support for Filtering IP Options
Example: Filtering Packets That Contain IP Options
The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:
ip access-list extended mylist2 10 permit ip any any option eool 20 permit ip any any option record-route 30 permit ip any any option zsu 40 permit ip any any option mtup
The show access-list command has been entered to show how many packets were matched and therefore permitted:
Device# show ip access-list mylist2 Extended IP access list test 10 permit ip any any option eool (1 match) 20 permit ip any any option record-route (1 match) 30 permit ip any any option zsu (1 match) 40 permit ip any any option mtup (1 match)
Additional References for ACL Support for Filtering IP Options
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Overview information about access lists |
"IP Access List Overview" |
Standards/RFCs |
Title |
---|---|
RFC 791 |
Internet Protocol |
RFC 793 |
Transmission Control Protocol |
RFC 1393 |
Traceroute Using an IP Option |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for ACL Support for Filtering IP Options
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
ACL Support for Filtering IP Options |
Cisco IOS XE 3.6E |
The ACL Support for Filtering IP Options feature describes how to use an IP access list to filter IP packets that contain IP options to prevent devices from becoming saturated with spurious packets. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. |