I am trying to filter all IP options as shown in the Cisco Guide to Harden Cisco IOS Devices.
When I implemented the ACE:
deny ip any any option any-options
I s-l-o-w-e-d all traffic through my uplink. I used it on the inbound and outbound uplink lists.
I haven't found a way to identify whether or not my packets have options. I have a NAM. The packets have values in the 21st. byte of the packets, typically 05, 17, 19, or 0d. The 21st. byte is the first byte of the tcp header. Is this byte showing me info about the options?
Another method of blocking options uses the global config command:
Router (config)# ip options drop