[c-nsp] IP Options Drop
Saku Ytti
saku at ytti.fi
Mon Apr 21 06:47:56 EDT 2014
On (2014-04-21 10:09 +0000), Dobbins, Roland wrote:
> > It's RP only, it's cross-platform feature. That is RP receives IP options like it normally does, but will always drop them.
> Does Sup2T/DFC4 drop options on the linecard? How about ip options ignore?
Unsure. But you do not any more need 'mls ratelimit' in PFC4, as ACL match has
been greatly enchanched, IP options being one new classification available. So
you could police IP options from your core looppbacks in separate policer to
all other IP options.
> Note to OP: traceroute uses options . . . . you're far better off rate-limiting the punted packets than dropping them.
While some traceroute programs do support IP options, it's very rare for people
to use IP options while traceroute.
On very rare occasions I've been able to tell multihops away network that
this-and-this device in their network has hardware/software programming
mismatch due to IP options traceroute/ping working and non-IP-options not
working.
--
++ytti
More information about the cisco-nsp
mailing list