Information About Acl Support For Filtering Ip Options - Cisco Catalyst 2960 series Configuration Manual

Information About ACL Support for Filtering IP Options

Information About ACL Support for Filtering IP Options
IP Options
IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header
Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some
situations but unnecessary for the most common communications. IP Options include provisions for time
stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and
gateways). What is optional is their transmission in any particular datagram, not their implementation. In
some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two
formats:
• Format 1: A single octet of option-type.
• Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit
option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred
to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL:
http://www.faqs.org/rfcs/rfc791.html
Benefits of Filtering IP Options
• Filtering of packets that contain IP Options from the network relieves downstream devices and hosts of
• This feature also minimizes load to the Route Processor (RP) for packets with IP Options that require
Benefits of Filtering on TCP Flags
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Previously,
an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access
control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could
get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any
combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a
greater degree of control for filtering on TCP flags, thus enhancing security.
Because TCP packets can be sent as false synchronization packets that can be accepted by a listening port, it
is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1236
the load from options packets.
RP processing on distributed systems. Previously, the packets were always routed to or processed by
the RP CPU. Filtering the packets prevents them from impacting the RP.