From: alfred zhang (alfredzh@xxxxxxxxxxxxxxxxx)
Date: Wed Oct 13 1999 - 03:53:02 GMT-3
Hi,
These are my environment.I have three routers.
router A----------------------router B-------------------------router C
Router A connected router B through the interface ethernet0.Router B
connected router C through the serial0.Router A e0 address is
132.148.16.5/24.Router B e0 address is 132.148.16.22.Router B s0 address is
132.148.158.22.Router C s0 address is 132.148.158.9.In router C,I use the
command "traceroute 132.148.16.5".The output is below:
RouterC# traceroute 132.148.16.5
Type escape sequence to abort.
Tracing the route to 132.148.16.5
1 132.148.158.22 20 msec 16 msec 20 msec
2 132.148.16.5 24 msec 20 msec *
I want to deny router C traceroute 132.148.16.5.So I configure the access-list
in router B.But I don't know which port the command traceroute use.I configure
the router B:
int e0
ip access-group 102 out
!
access-list 102 permit udp host 132.148.158.9 host 132.148.16.5 log
When I use the command "traceroute 132.148.16.5" in router C,the output of
router B is below:
%SEC-6-IPACCESSLOGP: list 102 permitted udp 132.148.158.9(0) ->
132.148.16.5(0),3 packets
I don't know the udp port number from the output.What's the wrong?
Any help will be appreciated.
Thanks.
alfred zhang
Joe Soricelli wrote:
> Answers below.
> ------------------------------------------------------------------
> Joseph M. Soricelli, CCIE #4803, CCNP, CCSI #20666
> EMAIL: jsoricelli@ccci.com
>
> Chesapeake Network Solutions
> 8110 Gatehouse Road, Suite 101E Phone: (703) 207-0757
> Falls Church, VA 22042 Fax: (703) 207-0441
>
> FYI - About Chesapeake: We are a Cisco Certified Training and
> professional services partner. We offer most of the Cisco
> training courses as well as training for Fore, NetScout, and
> CheckPoint-1 Firewalls. We provide network consulting services,
> including design, network health, management, firewall,
> and problem solving. We now have 23 CCIEs on our staff
> of instructor/consultants.
> -------------------------------------------------------------------
>
> -----Original Message-----
> From: alfred zhang <alfredzh@public1.ptt.js.cn>
> To: ccielab@groupstudy.com <ccielab@groupstudy.com>
> Date: Thursday, October 07, 1999 3:00 AM
> Subject: "apple distribute-list in/out "command
>
> >hi,
> >
> > I have two problems .
> >i.)How to use the command "appletalk distribute-list in/out" in
> >appletalk eigrp interface?After I enter this command in appletalk eigrp
> >interface,I find that there is no change.I must reload the router in
> >order to influence the appletalk route.WHY?
>
> Reloading the router just shortens the process. After the list is applied,
> it has taken effect but AT takes a LONG time to resolve to the new
> information. Either be patient or reload. As a side note, I found this
> helpful when preparing for my lab. Get AT running without any filters in
> place to make sure that everything isas it should be. Then configure all
> the filters you need to in your rack. Once you are confident that
> everything is configure and positioned as you would like it, reload the
> whole pod.
>
> >ii.)How to deny traceroute packet?
>
> Assuming we are talking about a "standard" Cisco traceroute: It is a UDP
> packet that uses a "random" high port number. If you put an extended
> access-list on an interface that permits the explict source and destination
> and then logs it, you can see the port. In application however, the port
> number always starts at 33434 and goes up for each packet that goes out.
> You can also see this by doing an extended trace.
>
> >
> >Any help will be appreciated.
> >
> >alfred zhang
> >99/10/7
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:52 GMT-3