Data Plane Security IOS ACL Selective IP Option Drop

REFERENCE

ACL IP Options Selective Drop

MEMO

IPヘッダ内でオプションフィールドが使われているパケットを破棄/無視する。方法は2通り。

  • ip optionsコマンドを利用
R3(config)#ip options drop
R#(config)#ip options ignore

% Warning: RSVP and other protocols that use IP Options packets
may not function as expected.

 

  • 拡張ACLでoptionを指定して access-group XX in でも可
R3(config-ext-nacl)#deny ip any any option ?
  <0-255>       IP Options value
  add-ext       Match packets with Address Extension Option (147)
  any-options   Match packets with ANY Option
  com-security  Match packets with Commercial Security Option (134)
  dps           Match packets with Dynamic Packet State Option (151)
  encode        Match packets with Encode Option (15)
  eool          Match packets with End of Options (0)
  ext-ip        Match packets with Extended IP Option (145)
  ext-security  Match packets with Extended Security Option (133)
  finn          Match packets with Experimental Flow Control Option (205)
  imitd         Match packets with IMI Traffic Desriptor Option (144)
  lsr           Match packets with Loose Source Route Option (131)
  mtup          Match packets with MTU Probe Option (11)
  mtur          Match packets with MTU Reply Option (12)
  no-op         Match packets with No Operation Option (1)
  nsapa         Match packets with NSAP Addresses Option (150)
  record-route  Match packets with Record Route Option (7)
  router-alert  Match packets with Router Alert Option (148)
  sdb           Match packets with Selective Directed Broadcast Option (149)
  security      Match packets with Basic Security Option (130)
  ssr           Match packets with Strict Source Routing Option (137)
  stream-id     Match packets with Stream ID Option (136)
  timestamp     Match packets with Time Stamp Option (68)
  traceroute    Match packets with Trace Route Option (82)
  ump           Match packets with Upstream Multicast Packet Option (152)
  visa          Match packets with Experimental Access Control Option (142)
  zsu           Match packets with Experimental Measurement Option (10)

コメント