From: Schmitt, Gregory (Gregory.Schmitt@xxxxxxxxxx)
Date: Thu Oct 14 1999 - 22:47:29 GMT-3
All,
>From "Troubleshooting TCP/IP"
(http://127.0.0.1:8080/cc/td/doc/cisintwk/itg_v1/itg_ip.htm on you CISCO
CDROM) they mention:
... the default ports used by the trace application (UDP ports 33434 and
above),...
Your access list could be something like:
access-list 110 deny udp any host 132.148.16.5 gt 33433
You can test this with a access-group statement like:
access-group 110 out log
and use "logging buffer"
Hope this helps,
Greg Schmitt
Network Technology Consultant
COMPAQ Federal LLC
6406 Ivy Lane
Greenbelt, MD 20770
Voice: 410-349-9772
Pager: 800-759-8888 PIN 1232801
Or http://www.skytel.com/Paging/pageme.cgi?pin=1232801,1
> ----------
> From: alfred zhang[SMTP:alfredzh@public1.ptt.js.cn]
> Reply To: alfred zhang
> Sent: Thursday, October 14, 1999 3:09 AM
> To: Alan Melick
> Cc: ccielab@groupstudy.com
> Subject: Re: "apple distribute-list in/out "command
>
> Alan,
>
> If I use access list with ICMP,I must configure the command "ip
> access-group in" in router B
> E0 interface.I want to deny the traceroute with the command "ip
> access-group out" in router B
> e0 interface.
>
> Alfred Zhang
>
> Alan Melick wrote:
>
> > Alfred,
> >
> > Try your access list with ICMP's. I thought traceroute uses ICMP echo
> packets with ttl's.
> >
> > ---Alan Melick
> >
> > -----Original Message-----
> > From: alfred zhang [SMTP:alfredzh@public1.ptt.js.cn]
> > Sent: Wednesday, October 13, 1999 2:53 AM
> > To: Joe Soricelli
> > Cc: ccielab@groupstudy.com
> > Subject: Re: "apple distribute-list in/out "command
> >
> > Hi,
> >
> > These are my environment.I have three routers.
> >
> > router A----------------------router
> B-------------------------router C
> >
> > Router A connected router B through the interface ethernet0.Router B
> > connected router C through the serial0.Router A e0 address is
> > 132.148.16.5/24.Router B e0 address is 132.148.16.22.Router B s0 address
> is
> > 132.148.158.22.Router C s0 address is 132.148.158.9.In router C,I use
> the
> > command "traceroute 132.148.16.5".The output is below:
> >
> > RouterC# traceroute 132.148.16.5
> >
> > Type escape sequence to abort.
> > Tracing the route to 132.148.16.5
> >
> > 1 132.148.158.22 20 msec 16 msec 20 msec
> > 2 132.148.16.5 24 msec 20 msec *
> > I want to deny router C traceroute 132.148.16.5.So I configure the
> access-list
> > in router B.But I don't know which port the command traceroute use.I
> configure
> > the router B:
> >
> > int e0
> > ip access-group 102 out
> > !
> > access-list 102 permit udp host 132.148.158.9 host 132.148.16.5
> log
> >
> > When I use the command "traceroute 132.148.16.5" in router C,the output
> of
> > router B is below:
> >
> > %SEC-6-IPACCESSLOGP: list 102 permitted udp 132.148.158.9(0) ->
> > 132.148.16.5(0),3 packets
> >
> > I don't know the udp port number from the output.What's the wrong?
> >
> > Any help will be appreciated.
> >
> > Thanks.
> > alfred zhang
> >
> > Joe Soricelli wrote:
> >
> > > Answers below.
> > > ------------------------------------------------------------------
> > > Joseph M. Soricelli, CCIE #4803, CCNP, CCSI #20666
> > > EMAIL: jsoricelli@ccci.com
> > >
> > > Chesapeake Network Solutions
> > > 8110 Gatehouse Road, Suite 101E Phone: (703) 207-0757
> > > Falls Church, VA 22042 Fax: (703) 207-0441
> > >
> > > FYI - About Chesapeake: We are a Cisco Certified Training and
> > > professional services partner. We offer most of the Cisco
> > > training courses as well as training for Fore, NetScout, and
> > > CheckPoint-1 Firewalls. We provide network consulting services,
> > > including design, network health, management, firewall,
> > > and problem solving. We now have 23 CCIEs on our staff
> > > of instructor/consultants.
> > > -------------------------------------------------------------------
> > >
> > > -----Original Message-----
> > > From: alfred zhang <alfredzh@public1.ptt.js.cn>
> > > To: ccielab@groupstudy.com <ccielab@groupstudy.com>
> > > Date: Thursday, October 07, 1999 3:00 AM
> > > Subject: "apple distribute-list in/out "command
> > >
> > > >hi,
> > > >
> > > > I have two problems .
> > > >i.)How to use the command "appletalk distribute-list in/out" in
> > > >appletalk eigrp interface?After I enter this command in appletalk
> eigrp
> > > >interface,I find that there is no change.I must reload the router in
> > > >order to influence the appletalk route.WHY?
> > >
> > > Reloading the router just shortens the process. After the list is
> applied,
> > > it has taken effect but AT takes a LONG time to resolve to the new
> > > information. Either be patient or reload. As a side note, I found
> this
> > > helpful when preparing for my lab. Get AT running without any filters
> in
> > > place to make sure that everything isas it should be. Then configure
> all
> > > the filters you need to in your rack. Once you are confident that
> > > everything is configure and positioned as you would like it, reload
> the
> > > whole pod.
> > >
> > > >ii.)How to deny traceroute packet?
> > >
> > > Assuming we are talking about a "standard" Cisco traceroute: It is a
> UDP
> > > packet that uses a "random" high port number. If you put an extended
> > > access-list on an interface that permits the explict source and
> destination
> > > and then logs it, you can see the port. In application however, the
> port
> > > number always starts at 33434 and goes up for each packet that goes
> out.
> > > You can also see this by doing an extended trace.
> > >
> > > >
> > > >Any help will be appreciated.
> > > >
> > > >alfred zhang
> > > >99/10/7
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:53 GMT-3