Example: Blocking Packets with Either a Loose or a Strict Source Route Option Set

This example shows how to block packets with either a loose or a strict source route option set.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin, understand how IP source route options work. See Understanding IP Source Route Options.

Overview

Source routing allows users at the source of an IP packet transmission to specify the IP addresses of the devices (also referred to as “hops” ) along the path that they want an IP packet to take on its way to its destination. The original intent of the IP source route options was to provide routing control tools to aid diagnostic analysis.

You can enable the device to either block any packets with loose or strict source route options set or detect such packets and then record the event in the counters list for the ingress interface.

In this example you create the screen called screen-1 to block packets with either a loose or a strict source route option set and enable the screen in the zone-1 security zone.

Configuration

Step-by-Step Procedure

To block packets with either the loose or the strict source route option set:

1. Configure the screen.
   [edit ]user@host# set security screen ids-option screen-1 ip source-route-option.
2. Enable the screen in the security zone.
   [edit ]user@host# set security zones security-zone zone-1 screen ip-filter-src
3. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security screen command.