icmp - time-exceede vs ttl-exceeded

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Jun 20 2005 - 18:01:51 GMT-3

• Next message: John Matus: "filtering active mode vs. passive mode ftp"
• Previous message: Bob Sinclair: "Re: BGP Confederation Identifier"
• Next in thread: Brian Dennis: "RE: icmp - time-exceede vs ttl-exceeded"
• Maybe reply: Brian Dennis: "RE: icmp - time-exceede vs ttl-exceeded"
• Maybe reply: gladston@br.ibm.com: "Re: icmp - time-exceede vs ttl-exceeded"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi guys,
 
Let's assume I want to configure a reflexive acl which allows Traceroute
packets back in.
 
I'm trying to make sure I select the correct icmp type packet to allow
back-in. But, when I do the following I see lots of options.
 
R5(config)#access-list 101 perm icmp any any ?
  <0-255> ICMP message type
  administratively-prohibited Administratively prohibited
  alternate-address Alternate address
  conversion-error Datagram conversion
  dod-host-prohibited Host prohibited
  dod-net-prohibited Net prohibited
  dscp Match packets with given dscp value
  echo Echo (ping)
  echo-reply Echo reply
  fragments Check non-initial fragments
  general-parameter-problem Parameter problem
  host-isolated Host isolated
  host-precedence-unreachable Host unreachable for precedence
  host-redirect Host redirect
  host-tos-redirect Host redirect for TOS
  host-tos-unreachable Host unreachable for TOS
  host-unknown Host unknown
  host-unreachable Host unreachable
  information-reply Information replies
  information-request Information requests
  log Log matches against this entry
  log-input Log matches against this entry, including
input
                               interface
  mask-reply Mask replies
  mask-request Mask requests
  mobile-redirect Mobile host redirect
  net-redirect Network redirect
  net-tos-redirect Net redirect for TOS
  net-tos-unreachable Network unreachable for TOS
  net-unreachable Net unreachable
  network-unknown Network unknown
  no-room-for-option Parameter required but no room
  option-missing Parameter required but not present
  packet-too-big Fragmentation needed and DF set
  parameter-problem All parameter problems
  port-unreachable Port unreachable
  precedence Match packets with given precedence value
  precedence-unreachable Precedence cutoff
  protocol-unreachable Protocol unreachable
  reassembly-timeout Reassembly timeout
  redirect All redirects
  router-advertisement Router discovery advertisements
  router-solicitation Router discovery solicitations
  source-quench Source quenches
  source-route-failed Source route failed
 
 
  time-exceeded All time exceededs <-----
**************
 
 
  time-range Specify a time-range
  timestamp-reply Timestamp replies
  timestamp-request Timestamp requests
  tos Match packets with given TOS value
 
 
  traceroute Traceroute <-----------#############
 
 
  ttl-exceeded TTL exceeded
<-------------*****************
 
 
 
  unreachable All unreachables
       <cr>
 
 
Notice how similar the 2 "starred" options look. What's the difference
between these 2 options?
 
Also, if I need to allow Traceroute back-in, why wouldn't I use the
traceroute option?
 
TIA, Tim

• Next message: John Matus: "filtering active mode vs. passive mode ftp"
• Previous message: Bob Sinclair: "Re: BGP Confederation Identifier"
• Next in thread: Brian Dennis: "RE: icmp - time-exceede vs ttl-exceeded"
• Maybe reply: Brian Dennis: "RE: icmp - time-exceede vs ttl-exceeded"
• Maybe reply: gladston@br.ibm.com: "Re: icmp - time-exceede vs ttl-exceeded"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3