Re: "apple distribute-list in/out "command

From: alfred zhang (alfredzh@xxxxxxxxxxxxxxxxx)
Date: Thu Oct 14 1999 - 04:09:40 GMT-3

• Next message: Echo Chan: "RE: appletalk static redistribution"
• Previous message: alfred zhang: "ip multicast routing"
• Maybe in reply to: alfred zhang: ""apple distribute-list in/out "command"
• Next in thread: Joe Soricelli: "Re: "apple distribute-list in/out "command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Alan,

  If I use access list with ICMP,I must configure the command "ip access-group
in" in router B
E0 interface.I want to deny the traceroute with the command "ip access-group ou
t" in router B
e0 interface.

 Alfred Zhang

Alan Melick wrote:

> Alfred,
>
> Try your access list with ICMP's. I thought traceroute uses ICMP echo packet
s with ttl's.
>
> ---Alan Melick
>
> -----Original Message-----
> From: alfred zhang [SMTP:alfredzh@public1.ptt.js.cn]
> Sent: Wednesday, October 13, 1999 2:53 AM
> To: Joe Soricelli
> Cc: ccielab@groupstudy.com
> Subject: Re: "apple distribute-list in/out "command
>
> Hi,
>
> These are my environment.I have three routers.
>
> router A----------------------router B-------------------------router C
>
> Router A connected router B through the interface ethernet0.Router B
> connected router C through the serial0.Router A e0 address is
> 132.148.16.5/24.Router B e0 address is 132.148.16.22.Router B s0 address is
> 132.148.158.22.Router C s0 address is 132.148.158.9.In router C,I use the
> command "traceroute 132.148.16.5".The output is below:
>
> RouterC# traceroute 132.148.16.5
>
> Type escape sequence to abort.
> Tracing the route to 132.148.16.5
>
> 1 132.148.158.22 20 msec 16 msec 20 msec
> 2 132.148.16.5 24 msec 20 msec *
> I want to deny router C traceroute 132.148.16.5.So I configure the access-lis
t
> in router B.But I don't know which port the command traceroute use.I configur
e
> the router B:
>
> int e0
> ip access-group 102 out
> !
> access-list 102 permit udp host 132.148.158.9 host 132.148.16.5 log
>
> When I use the command "traceroute 132.148.16.5" in router C,the output of
> router B is below:
>
> %SEC-6-IPACCESSLOGP: list 102 permitted udp 132.148.158.9(0) ->
> 132.148.16.5(0),3 packets
>
> I don't know the udp port number from the output.What's the wrong?
>
> Any help will be appreciated.
>
> Thanks.
> alfred zhang
>
> Joe Soricelli wrote:
>
> > Answers below.
> > ------------------------------------------------------------------
> > Joseph M. Soricelli, CCIE #4803, CCNP, CCSI #20666
> > EMAIL: jsoricelli@ccci.com
> >
> > Chesapeake Network Solutions
> > 8110 Gatehouse Road, Suite 101E Phone: (703) 207-0757
> > Falls Church, VA 22042 Fax: (703) 207-0441
> >
> > FYI - About Chesapeake: We are a Cisco Certified Training and
> > professional services partner. We offer most of the Cisco
> > training courses as well as training for Fore, NetScout, and
> > CheckPoint-1 Firewalls. We provide network consulting services,
> > including design, network health, management, firewall,
> > and problem solving. We now have 23 CCIEs on our staff
> > of instructor/consultants.
> > -------------------------------------------------------------------
> >
> > -----Original Message-----
> > From: alfred zhang <alfredzh@public1.ptt.js.cn>
> > To: ccielab@groupstudy.com <ccielab@groupstudy.com>
> > Date: Thursday, October 07, 1999 3:00 AM
> > Subject: "apple distribute-list in/out "command
> >
> > >hi,
> > >
> > > I have two problems .
> > >i.)How to use the command "appletalk distribute-list in/out" in
> > >appletalk eigrp interface?After I enter this command in appletalk eigrp
> > >interface,I find that there is no change.I must reload the router in
> > >order to influence the appletalk route.WHY?
> >
> > Reloading the router just shortens the process. After the list is applied,
> > it has taken effect but AT takes a LONG time to resolve to the new
> > information. Either be patient or reload. As a side note, I found this
> > helpful when preparing for my lab. Get AT running without any filters in
> > place to make sure that everything isas it should be. Then configure all
> > the filters you need to in your rack. Once you are confident that
> > everything is configure and positioned as you would like it, reload the
> > whole pod.
> >
> > >ii.)How to deny traceroute packet?
> >
> > Assuming we are talking about a "standard" Cisco traceroute: It is a UDP
> > packet that uses a "random" high port number. If you put an extended
> > access-list on an interface that permits the explict source and destination
> > and then logs it, you can see the port. In application however, the port
> > number always starts at 33434 and goes up for each packet that goes out.
> > You can also see this by doing an extended trace.
> >
> > >
> > >Any help will be appreciated.
> > >
> > >alfred zhang
> > >99/10/7
> > >

• Next message: Echo Chan: "RE: appletalk static redistribution"
• Previous message: alfred zhang: "ip multicast routing"
• Maybe in reply to: alfred zhang: ""apple distribute-list in/out "command"
• Next in thread: Joe Soricelli: "Re: "apple distribute-list in/out "command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:52 GMT-3