RE: deny traceroute packet!!!!!! (unresolved)

From: Pickell, Aaryn (Aaryn.Pickell@xxxxxxxxxxxxx)
Date: Sun Apr 15 2001 - 13:57:24 GMT-3

   
On a totally different track, you might want to look into the "ip icmp
rate-limit" command. It's only supported on later IOS versions, but it will
prevent the router from sending icmp messages so often. I didn't see a way
to totally disable them, though.

Aaryn Pickell - CCNP, CCDP, MCSE
Senior Engineer - Routing Protocols
Getronics Inc.
Direct: 713-394-1609
Email:aaryn.pickell@getronics.com

This e-mail message and any attachments are confidential and may be
privileged. If you are not the intended recipient, please notify me
immediately by replying to this message and please destroy all copies of
this message and attachments. Thank you.

> -----Original Message-----
> From: Rob Hopkins [mailto:rshopkins@earthlink.net]
> Sent: Saturday, April 14, 2001 8:39 AM
> To: ccielab@groupstudy.com
> Subject: Re: deny traceroute packet!!!!!! (unresolved)
>
>
> It just occured to me you could use a route map,
> match to an access list, and route to int null,
> it should work, but its a bit cumbersome...
>
>
> ----- Original Message -----
> From: "McCoy, Jeffery" <jmccoy@neteffectcorp.com>
> To: "'Rob Hopkins '" <rshopkins@earthlink.net>;
> <ccielab@groupstudy.com>
> Sent: Saturday, April 14, 2001 9:13 AM
> Subject: RE: deny traceroute packet!!!!!! (unresolved)
>
>
> > with policy routing it is
> > ip local policy route-map xxxxx
> >
> > perhaps it is something similar.
> > -jeff
> >
> > -----Original Message-----
> > From: Rob Hopkins
> > To: ccielab@groupstudy.com
> > Sent: 4/14/2001 6:18 AM
> > Subject: Re: deny traceroute packet!!!!!! (unresolved)
> >
> > I believe this issue is still unresolved, I remember
> > something about access-lists dont affect traffic
> > genereated by the router, but can remember how to
> > restrict that traffic..
> >
> > from Caslow, p.685
> > "..Access-lists do no effect th router that the
> > access-list resides. .... To prevent access from the
> > router an access-class statement must be used."
> >
> >
> > Does anyone recall how to block outbound traffic
> > generated by the router itself?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > How about:
> >
> > access 100 deny icmp any any
> >
> > J
> >
> > >>> Ilya Mazhara <willy@aspect.vyatka.ru> 03/19/01
> > 09:12AM >>>
> > Well look at this:
> >
> > Router2#sh access-li 103
> > Extended IP access list 103
> > deny ip any any (2 matches)
> > Cut from sh run:
> > !
> > line con 0
> > access-class 103 out
> >
> > And ping work..
> > Router2#ping 170.10.5.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 170.10.5.1, timeout
> > is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip
> > min/avg/max = 4/4/4
> >
> > ...but telnet dont:
> > Router2#telnet 170.10.5.1
> > Trying 170.10.5.1 ...
> > % Connections to that host not permitted from this
> > terminal
> > Router2#sh access-li 103
> > Extended IP access list 103
> > deny ip any any (3 matches)
> >
> > Tracy Blackmore wrote:
> > >
> > > They will work on locally generated packets if you
> > apply the ACL to the con
> > > 0 line (if your session is on the console that is.)
> > >
> > > -----Original Message-----
> > > From: Ilya Mazhara [mailto:willy@aspect.vyatka.ru]
> > > Sent: Monday, March 19, 2001 3:16 AM
> > > To: xuefengleng
> > > Cc: Chun-Yu Chen; ccielab@groupstudy.com
> > > Subject: Re: deny traceroute packet!!!!!!
> > >
> > > ACL dont acts on local generated packets if you try
> > to do it.
> > >
> > > xuefengleng wrote:
> > > >
> > > > hi, Chun-Yu Chen
> > > >
> > > > interface Serial1
> > > > ip address 150.4.102.2 255.255.255.0
> > > > ip access-group 104 out
> > > > no ip directed-broadcast
> > > > no ip route-cache
> > > >
> > > > access-list 104 deny udp any any gt 30000
> > > > access-list 104 permit ip any any
> > > >
> > > > It don't work, I promise! would you try again? or
> > what I'm missing?
> > > >
> > > > snow
> > > >
> > > > TZ 01-3-19 15:37:00 DzP 5@#:
> > > > >Hello,
> > > > >
> > > > >You can try as following
> > > > >acl 100 deny udp any any gt 30000
> > > > >acl 100 permit ip any any
> > > > >
> > > > >ip access 101 out.
> > > > >
> > > > >I have use this command.
> > > > >It's workable.
> > > > >
> > > > >Regards
> > > > >Jerry
> > > > >
> > > > >
> > > > >----- Original Message -----
> > > > >From: "xuefengleng" <xuefengleng@163.com>
> > > > >To: <ccielab@groupstudy.com>
> > > > >Sent: Monday, March 19, 2001 3:00 PM
> > > > >Subject: deny traceroute packet!!!!!!
> > > > >
> > > > >
> > > > >> ccielab gurus!
> > > > >>
> > > > >> I cannot deny traceroute output packet why?
> > > > >>
> > > > >> config:
> > > > >>
> > > > >> int s1
> > > > >> ip acce 101 out
> > > > >> acce 101 deny udp any any gt 33433
> > > > >> acce 101 permit ip any any
> > > > >>
> > > > >> when I debug the ip packet, I found the udp
> > sent out the s1 port,
> > > have
> > > > >you any experience about it ?
> > > > >>
> > > > >> well, I can deny the input traceroute packet
> > anywhere.
> > > > >>
> > > > >> snow
> > > > >>
> > > > >>
> > > > >> VB
> > > > >> @q#!
> > > > >>
> > > > >> xuefengleng
> > > > >> xuefengleng@163.com
> > > > >>
> > > > >> **NOTE** All LAB SWAP messages should now be
> > sent to the
> > > > >> LAB SWAP Message board on groupstudy.com.
> > > > >>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:46 GMT-3