Blocking Traceroute IE Lab 2 Security section

From: Long Kwok (lkwok@ccieunix.com)
Date: Mon May 16 2005 - 17:14:26 GMT-3

• Next message: libone mhlanga: "Re: Pass CCIE R/S"
• Previous message: l.tosolini@chello.nl: "Re: RE: Practical Study2 Lab6: group-list doesn't work"
• Next in thread: simon hart: "RE: Blocking Traceroute IE Lab 2 Security section"
• Maybe reply: simon hart: "RE: Blocking Traceroute IE Lab 2 Security section"
• Maybe reply: Long Kwok: "RE: Blocking Traceroute IE Lab 2 Security section"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

In IE lab 2 in the security section they discuss having to setup RACL
that only permits icmp into your network when it was established from
inside your network , and also make sure traceroute works for users
sourcing behind R5.. Given this task , I am curious how would you say
block only tracerroute traffic but permit icmp echo requests/replies ? I
have tried various methods to block say only R1 to traceroute to R5's
Ethernet segments but blocking all icmp/ udp does not seem to do this .
So if R1 is the source of traceroute to say an Ethernet interface on R5
, I still get the complete path up to R5's serial interface facing R3 ?
I would assume that blocking icmp/udp inbound on R5's only path
(assuming isdn is down ) would prevent R1 from getting any responses
from any routers in the path , I would expect to get all * * * 's when
tracing into R5 ??

TIA , Long

• Next message: libone mhlanga: "Re: Pass CCIE R/S"
• Previous message: l.tosolini@chello.nl: "Re: RE: Practical Study2 Lab6: group-list doesn't work"
• Next in thread: simon hart: "RE: Blocking Traceroute IE Lab 2 Security section"
• Maybe reply: simon hart: "RE: Blocking Traceroute IE Lab 2 Security section"
• Maybe reply: Long Kwok: "RE: Blocking Traceroute IE Lab 2 Security section"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3