Solved: ISR & ASR default behavior with strict and loose source routing

riad1990new · ‎02-27-2024

Hi,

Do Cisco ISR and ASR routers process IP packets with IP options for strict and loose source routing by default? For example, an external source to my network can send packets with loose source routing option and my router would actually route the traffic based on the values specified in that option's field?

If Cisco routers do process packets with these options by default, can we disable this routing feature?

And some other questions please:

1- Can we strip these IP options from packets?

2- How does this work with CEF? I would imagine that the router will not process switch packets, so it would most likely ignore the IP options fields and simply forward the packet based on the destination IP address field.

Note: I don't have access to a Cisco router to test this at the moment.

Thanks,
Riad.

Joseph W. Doherty · ‎02-27-2024

"Do Cisco ISR and ASR routers process IP packets with IP options for strict and loose source routing by default?"

I believe so, although it's the kind of option Cisco may eventually change the default.

"If Cisco routers do process packets with these options by default, can we disable this routing feature?"

Yes,

no ip source-route

(as also earlier noted by @Ruben Cocheno).

"1- Can we strip these IP options from packets?"

On a Cisco router or switch, don't believe so.

"2- How does this work with CEF? I would imagine that the router will not process switch packets, so it would most likely ignore the IP options fields and simply forward the packet based on the destination IP address field."

I've used source routing for some types of network performance analysis, it worked; believe Cisco routers it transited were CEF enabled. Cannot say whether routers had to process switch, but for my analysis, I was only doing one packet at a time, so no discernable impact to transit routers.

View solution in original post

Ruben Cocheno · ‎02-27-2024

@riad1990new

Almost all routers that I've configured for customers have the Ip Source orute enabled by default, so i disable it. It is very rare to find any situation where that functionality is needed and the security implications of it are negative.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Joseph W. Doherty · ‎02-27-2024

"Do Cisco ISR and ASR routers process IP packets with IP options for strict and loose source routing by default?"

I believe so, although it's the kind of option Cisco may eventually change the default.

"If Cisco routers do process packets with these options by default, can we disable this routing feature?"

Yes,

no ip source-route

(as also earlier noted by @Ruben Cocheno).

"1- Can we strip these IP options from packets?"

On a Cisco router or switch, don't believe so.

"2- How does this work with CEF? I would imagine that the router will not process switch packets, so it would most likely ignore the IP options fields and simply forward the packet based on the destination IP address field."

I've used source routing for some types of network performance analysis, it worked; believe Cisco routers it transited were CEF enabled. Cannot say whether routers had to process switch, but for my analysis, I was only doing one packet at a time, so no discernable impact to transit routers.

Harold Ritter · ‎02-27-2024

Hi @Joseph W. Doherty ,

As far as I know, IOS-XE has

ip source-route

disabled by default for a long time.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Joseph W. Doherty · ‎02-27-2024

Thank you. My (dated) experience was mostly pre-XE. Laugh, though, then default setting may have changed, as I thought it might.