Re: How to block "traceroute" output but allow "ping" ?

From: Ilya Mazhara (willy@xxxxxxxxxxxxxxxx)
Date: Mon Feb 26 2001 - 05:36:48 GMT-3

• Next message: YJC: "Re: tcp ports for dlsw+ traffic"
• Previous message: fwells12: "x25 back to back vc's"
• Maybe in reply to: JZ: "How to block "traceroute" output but allow "ping" ?"
• Next in thread: Luis Santos: "RE: How to block "traceroute" output but allow "ping" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
trace uses udp/icmp but ping does icmp only. Well..

JZ wrote:
>
> Hi, here is an issue regarding "traceroute" of ICMP:
>
> rL:s0 ------------- s0:rM:S1 --------------s0:rR
> | |
> tr <rR:s0 ip > "ip acc-grp 100 out"
> ping <rR:s0 ip>
>
> Q: apply acl on rM:S1 (out) to block the output of
> traceroute from rL to rR, but allow rL ping rR.
> All routers have full IP connectivity.
>
> My cfg. on rM: (omitting unrelated part)
> !
> int rM:S1
> ip acc-grp 100 out
> !
> acl# 100 deny ICMP any any EQ Traceroute
> acl# 100 perit ip any any
> !
>
> While verify, from rL using "tr <rR:s0 IP> ", the
> traceroute output from both routers -- rM and rR, show up.
> Ping works well.
>
> Was anything wrong in cfg. that fails to block the output
> from rR ?
>
> Thanks in advance ,
>
> JZ
> Sunday
>

• Next message: YJC: "Re: tcp ports for dlsw+ traffic"
• Previous message: fwells12: "x25 back to back vc's"
• Maybe in reply to: JZ: "How to block "traceroute" output but allow "ping" ?"
• Next in thread: Luis Santos: "RE: How to block "traceroute" output but allow "ping" ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:01 GMT-3