From: Ivan (ivan@iip.net)
Date: Mon Jul 17 2006 - 06:39:00 ART
Traceroute send ICMP or UDP to destination, increase ttl by 1 for each
attempt.
If used UDP traceroute (destination port 33434) and destination is reached
target host reply with ICMP port unreacheable. Since this port don't use any
application. Traceroute app on source host get this ICMP-code suppose that it
get last-hop response.
ICMP time-exceed is sent in 2 cases.
1) when TTL is 0 after decrementation. Router discard datagram and send this
code to source of packet.
2) when all fragment of datagram do not arrive at the destination host within
certain time.
This normal traceroute behaviour.
> not able to understand the example in the IEWB 3.0 Lab 3 task 9.1:
>
> 1).The network admin has requested that r6's connection to BB1 to be
> secured, configure R6 so that only allows TCP, UDP and ICMP traffic in from
> BB1 if it was originated from behind R6. 2).Ensure that user behind R6
> still can traceroute to hosts beyond the frame cloud (BB1).
>
> the solution:
> r6
> interface s0/0
> ip access-group incoming in
> ip access-group outgoing out
>
> ip access-list extended incoming
> permit icmp any any time-exceeded
> permit icmp any any port-unreachable
> permit udp any any eq rip
> permit tcp any eq bgp any
> permit tcp any any eq bgp
> evaluate MY-REFLECT
>
> ip access-list extended outgoing
> permit tcp any any reflect MY-REFLECT
> permit udp any any reflect MY-REFLECT
> permit icmp any any reflect MY-REFLECT
>
> I cannot understand question 2 and the solution"permit icmp any any
> time-exceeded" and "permit icmp any any port-unreachable".
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- Ivan
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART