Configuring the Switch to Discard IP Packets with Options
Context
IP packets can carry route options including the route-alert option, route-record option, source-route option, and timestamp option. These route options are used to diagnose network paths and temporarily transmit special services. These options, however, may be used by attackers to spy on the network structure for initiating attacks, degrading network security and switch performance. To solve this problem, you can configure the switch to discard the IP packets that carry the route options.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support switching between Layer 2 and Layer 3 modes.
- Do as follows according to different route options in IP packets:
Run discard ra
The interface is configured to discard IP packets with route-alert options.
Run discard rr
The interface is configured to discard IP packets with record-route options.
Run discard srr
The interface is configured to discard IP packets with source-route options.
Run discard ts
The interface is configured to discard IP packets with time-stamp options.
By default, the device processes packets sent to the CPU based on route options contained in these packets.
The discard { ra | rr | srr | ts } command only takes effect for the packets on inbound interfaces.
The discard { ra | rr | srr | ts } command only takes effect for packets sent to the CPU. For packets that are not sent to the CPU, the device processes and forwards them using the same method of processing packets without route options regardless of whether the discard { ra | rr | srr | ts } command is configured or not.