Security Command Reference
Page 96 7705 SAR OS System Management Guide
ip-option
Syntax ip-option ip-option-value [ip-option-mask]
no ip-option
Context config>system>security>cpm-filter>ip-filter>entry>match
Description This command configures matching packets with a specific IP option or a range of IP options in the IP
header as an IP filter match criterion.
The option type octet contains 3 fields:
• 1 bit copied flag (copy options in all fragments)
• 2 bits option class
• 5 bits option number
The no form of the command removes the match criterion.
Default no ip-option
Parameters ip-option-value — the 8-bit option type (can be entered using decimal, hexadecimal, or binary
formats). The mask is applied as an AND to the option byte and the result is compared with the
option value.
The decimal value entered for the match should be a combined value of the 8-bit option type field
and not just the option number. Therefore, to match on IP packets that contain the Router Alert
option (option number = 20), enter the option type of 148 (10010100).
Values 0 to 255
ip-option-mask — specifies a range of option numbers to use as the match criteria
This 8-bit mask can be entered using decimal, hexadecimal, or binary formats as shown in the
table below.
Default 255 (decimal) (exact match)
Values 0 to 255
Format Style Format Syntax Example
Decimal
DDD 20
Hexadecimal
0xHH 0x14
Binary
0bBBBBBBBB 0b0010100
To Next Page
Loading...
