Example: Detecting Packets with Either a Loose or a Strict Source Route Option Set

This example shows how to detect packets with either a loose or a strict source route option set.

• Requirements
• Overview
• Configuration
• Verification

Requirements

Before you begin, understand how IP source route options work. See Understanding IP Source Route Options.

Overview

Source routing allows users at the source of an IP packet transmission to specify the IP addresses of the devices (also referred to as “hops” ) along the path that they want an IP packet to take on its way to its destination. The original intent of the IP source route options was to provide routing control tools to aid diagnostic analysis.

You can enable the device to either block any packets with loose or strict source route options set or detect such packets and then record the event in the counters list for the ingress interface.

In this example, you create two screens called screen-1 and screen-2 to detect and record, but not block, packets with a loose or strict source route option set and enable the screens in the zone-1 security screen.

Configuration

Step-by-Step Procedure

To detect and record, but not block, packets with a loose or strict source route option set:

1. Configure the loose source screen.
   [edit]user@host# set security screen ids-option screen-1 ip loose-source-route-option
2. Configure the strict source route screen.
   [edit]user@host# set security screen ids-option screen-2 ip strict-source-route-option

   Note: Currently, this screen option supports IPv4 only.

3. Enable the screens in the zone-1 security zone.
   [edit]user@host# set security zones security-zone zone-1 screen screen-2
4. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security screen command.