The discard { ra | rr | srr | ts } command configures the device to discard the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.
The undo discard { ra | rr | srr | ts } command configures the device to process the packets that contain the route alert option, route record option, source route option, or timestamp option on interfaces.
By default, the device processes packets sent to the CPU based on route options contained in these packets.
Usage Scenario
IP packets can carry route options including the route alert option (ra), route record option (rr), source route option (srr), and timestamp option (ts).
These route options are used to diagnose network paths and temporarily transmit special services. These options, however, may be used by attackers to spy on the network structure for initiating attacks. This degrades network security and device performance. To solve this problem, you can run the discard { ra | rr | srr | ts } command to configure the device to discard the IP packets that contain the route options.
Precautions
The discard { ra | rr | srr | ts } command only takes effect for the packets on inbound interfaces.
The discard { ra | rr | srr | ts } command only takes effect for packets sent to the CPU. For packets that are not sent to the CPU, the device processes and forwards them using the same method of processing packets without route options regardless of whether the discard { ra | rr | srr | ts } command is configured or not.
# Configure the device to discard the packets that contain the route alert option on the interface VLANIF100.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] discard ra
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] discard ra