From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Dec 29 2007 - 03:39:00 ART
I think the RFC 1393 traceroute implementation can be matched on the IOS
using the following command:
"deny ip any any option traceroute"
As described here:
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716ebc.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d4a7d.html
Btw I have no idea what the 'traceroute' keyword does in the regular ICMP
protocol access-lists. But honestly I don't think the 'permit icmp any any
traceroute' command matches on the RFC 1393 thing simply because
access-lists did not support matching on IP Options back then :)
Regards
Farrukh
On Dec 29, 2007 8:11 AM, Brian Dennis <bdennis@internetworkexpert.com>
wrote:
> I tested out your theory for the record-route option and it didn't appear
> to hold up :-( Did you consider the ICMP type of traceroute as defined in
> RFC 1393?
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> >----- Original Message -----
> Subject: RE: Need your help on traceroute
> Date: Fri, December 28, 2007 20:36
> From: "Scott Morris" <swm@emanon.com>
>
> > While I agree on the idea that there are multiple ways of doing
> traceroutes,
> > I think the original question was about an ACL with ICMP and the
> > "traceroute" option.
> >
> > R1(config)#access-list 101 permit icmp any any ?
> > <0-255> ICMP message type
> > administratively-prohibited Administratively prohibited
> > alternate-address Alternate address
> > conversion-error Datagram conversion
> > dod-host-prohibited Host prohibited
> > dod-net-prohibited Net prohibited
> > dscp Match packets with given dscp value
> > echo Echo (ping)
> > echo-reply Echo reply
> > fragments Check non-initial fragments
> > general-parameter-problem Parameter problem
> > host-isolated Host isolated
> > host-precedence-unreachable Host unreachable for precedence
> > host-redirect Host redirect
> > host-tos-redirect Host redirect for TOS
> > host-tos-unreachable Host unreachable for TOS
> > host-unknown Host unknown
> > host-unreachable Host unreachable
> > information-reply Information replies
> > information-request Information requests
> > log Log matches against this entry
> > log-input Log matches against this entry, including
> > input
> > interface
> > mask-reply Mask replies
> > mask-request Mask requests
> > mobile-redirect Mobile host redirect
> > net-redirect Network redirect
> > net-tos-redirect Net redirect for TOS
> > net-tos-unreachable Network unreachable for TOS
> > net-unreachable Net unreachable
> > network-unknown Network unknown
> > no-room-for-option Parameter required but no room
> > option-missing Parameter required but not present
> > packet-too-big Fragmentation needed and DF set
> > parameter-problem All parameter problems
> > port-unreachable Port unreachable
> > precedence Match packets with given precedence value
> > precedence-unreachable Precedence cutoff
> > protocol-unreachable Protocol unreachable
> > reassembly-timeout Reassembly timeout
> > redirect All redirects
> > router-advertisement Router discovery advertisements
> > router-solicitation Router discovery solicitations
> > source-quench Source quenches
> > source-route-failed Source route failed
> > time-exceeded All time exceededs
> > time-range Specify a time-range
> > timestamp-reply Timestamp replies
> > timestamp-request Timestamp requests
> > tos Match packets with given TOS value
> > traceroute Traceroute
> > ttl-exceeded TTL exceeded
> > unreachable All unreachables
> > <cr>
> >
> > R1(config)#
> >
> > There are lots of things listed, and most have to do with the specific
> > types/codes laid out in RFC792. However, I believe (and no, I haven't
> > tested this) that the traceroute option here is specifically looking for
> > option 7 of the header (RFC791) allowing the record route feature of
> ICMP.
> >
> > Just my thoughts, but since everything else really is specific to ICMP
> here,
> > it would seem strange to either not filter based on that or simply
> ignore
> > it.
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE-M
> > #153, JNCIS-ER, CISSP, et al.
> > CCSI/JNCI-M/JNCI-ER
> > VP - Technical Training - IPexpert, Inc.
> > IPexpert Sr. Technical Instructor
> >
> > A Cisco Learning Partner - We Accept Learning Credits!
> >
> > smorris@ipexpert.com
> >
> >
> >
> > Telephone: +1.810.326.1444
> > Fax: +1.810.454.0130
> > http://www.ipexpert.com
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Brian Dennis
> > Sent: Friday, December 28, 2007 10:16 PM
> > To: PANDI MOORTHY; Cisco certification
> > Subject: Re: Need your help on traceroute
> >
> > Here is a reply that I've made on this list in the past in regards to
> > traceroute:
> >
> > Note that traceroute is a technique to have the routers between the
> source
> > and destination reveal themselves and finally have the destination
> reveal
> > itself by replying to a "packet". Traceroute can be implemented using
> ICMP,
> > UDP, and even TCP so as a CCIE when someone asks you to filter
> "traceroute"
> > you should get a little background as to the traceroute application/OS's
> > being used to trigger the reply from the destination.
> > Example: Windows uses ICMP echoes by default, most Linux OS's use UDP by
> > default but can use ICMP echoes (-I option), and the IOS uses UDP.
> There
> > are also implementations that use TCP.
> >
> > The goal of traceroute is to have the routers between the source and
> > destination reveal themselves and finally have the destination reply so
> that
> > you know you have reached it. The routers reveal themselves by sending
> Time
> > Exceeded (aka TTL-Exceeded) ICMP packets back to the source when the TTL
> is
> > decremented to zero. The traceroute implementation can determine its
> > reached the destination by having it reply to an ICMP echo request, send
> an
> > ICMP port unreachable to a packet sent to an unused UDP port, or
> completing
> > the TCP three-way handshake.
> >
> >
> > ************************************************************************
> >
> > ICMP based traceroute:
> >
> > In this example we are sending ICMP echo requests to www.cisco.com and
> > looking for the ICMP echo reply to know that we have reached the final
> > destination.
> >
> > [root@xxxxxx root]# traceroute -I www.cisco.com traceroute to
> www.cisco.com
> > (198.133.219.25), 30 hops max, 38 byte packets
> > 1 198.132.102.1 (198.132.102.1) 1.658 ms 1.975 ms 1.968 ms
> > 2 foo.hostrack.net (202.101.143.254) 5.394 ms 22.382 ms 2.966 ms
> > 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 20.132 ms
> > 20.494 ms 20.195 ms
> > 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 19.749ms
> > 25.827 ms 26.814 ms
> > 5 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> 157.130.238.193) 29.108 ms 19.864 ms
> > 20.066 ms
> > 6 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> 152.63.115.26) 26.338 ms 26.232 ms
> > 26.821 ms
> > 7 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> 152.63.55.101) 46.424 ms 45.996 ms
> > 45.675 ms
> > 8 POS1-0.XR1.SJC2.ALTER.NET <http://pos1-0.xr1.sjc2.alter.net/> (
> 152.63.56.138) 48.653 ms 46.513 ms
> > 46.803 ms
> > 9 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> 152.63.48.77) 46.693 ms 46.619 ms
> > 46.446 ms
> > 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 46.556 ms 46.954ms
> > 46.944 ms
> > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 30.818 ms 31.769 ms
> > 32.685 ms
> > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 30.589 ms 30.626 ms
> > 30.448 ms
> > 13 * * *
> > 14 www.cisco.com (198.133.219.25) 28.916 ms 28.994 ms 28.944 ms
> > ************************************************************************
> >
> > UDP based traceroute:
> > In this example we are sending UDP packets with a starting port number
> of
> > 33434 to www.cisco.com. Note that we don't ever get a reply from
> > www.cisco.com because their firewall will not allow our UDP packets in.
> >
> > [root@xxxxxx root]# man traceroute | grep "UDP port number"
> > -p Set the base UDP port number used in probes (default is
> > 33434).
> > [root@xxxxxx root]#
> > [root@xxxxxx root]# traceroute www.cisco.com traceroute to www.cisco.com
> > (198.133.219.25), 30 hops max, 38 byte packets
> > 1 198.132.102.1 (198.132.102.1) 1.725 ms 1.866 ms 1.841 ms
> > 2 foo.hostrack.net (202.101.143.254) 4.887 ms 4.281 ms 4.482 ms
> > 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.266 ms
> > 21.152 ms 20.826 ms
> > 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 58.829ms
> > 42.033 ms 24.007 ms
> > 5 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> 157.130.238.193) 21.448 ms 23.277 ms
> > 21.446 ms
> > 6 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> 152.63.115.26) 27.816 ms 27.259 ms
> > 27.210 ms
> > 7 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> 152.63.55.101) 47.540 ms 46.954 ms
> > 47.198 ms
> > 8 POS1-0.XR1.SJC2.ALTER.NET <http://pos1-0.xr1.sjc2.alter.net/> (
> 152.63.56.138) 48.072 ms 47.247 ms
> > 46.667 ms
> > 9 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> 152.63.48.77) 51.728 ms 51.437 ms
> > 48.304 ms
> > 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.563 ms 48.878ms
> > 47.807 ms
> > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.562 ms 32.653 ms
> > 31.318 ms
> > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.327 ms 31.831 ms
> > 31.516 ms
> > 13 * * *
> > 14 * * *
> >
> > ************************************************************************
> > TCP based traceroute:
> >
> > In this example we are sending TCP SYN packets to port 80 looking for
> the
> > destination to complete the three-way-handshake. Once the handshake is
> > complete we know that we have reached the destination. Obviously
> Cisco's
> > firewall is going to allow packets to TCP port 80 destined for it's web
> > server.
> >
> > [root@xxxxxx root]# tcptraceroute www.cisco.com
> > tcptraceroute: Symbol `pcap_version' has different size in shared
> object,
> > consider re-linking Selected device eth3, address 198.132.102.93, port
> 41440
> > for outgoing packets Tracing the path to www.cisco.com (198.133.219.25)
> on
> > TCP port 80, 30 hops max
> > 1 198.132.102.1 (198.132.102.1) 1.575 ms 1.507 ms 1.469 ms
> > 2 foo.hostrack.net (202.101.143.254) 4.840 ms 5.090 ms 4.596 ms
> > 3 ser4-0.core01.las.switchcommgroup.com (66.209.64.41) 21.205 ms
> > 20.895 ms 21.430 ms
> > 4 pos1-0.core02.las.oc48a.switchcommgroup.com (66.209.64.218) 21.682ms
> > 21.012 ms 21.059 ms
> > 5 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> 157.130.238.193) 21.185 ms 21.304 ms
> > 20.939 ms
> > 6 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> 152.63.115.26) 27.176 ms 28.615 ms
> > 27.644 ms
> > 7 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> 152.63.55.101) 47.659 ms 48.220 ms
> > 47.667 ms
> > 8 POS1-0.XR1.SJC2.ALTER.NET <http://pos1-0.xr1.sjc2.alter.net/> (
> 152.63.56.138) 47.534 ms 48.483 ms
> > 47.183 ms
> > 9 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> 152.63.48.77) 64.413 ms 51.058 ms
> > 49.007 ms
> > 10 ciscosys-gw1.customer.alter.net (65.208.80.242) 48.156 ms 49.197ms
> > 47.534 ms
> > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89) 31.685 ms 32.633
> ms32.895 ms
> > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69) 32.291 ms 33.900
> ms35.461 ms
> > 13 www.cisco.com (198.133.219.25) [open] 31.041 ms 31.667 ms 32.775ms
> > [root@xxxxxx root]#
> >
> >
> > HTH,
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > >----- Original Message -----
> > Subject: Need your help on traceroute
> > Date: Fri, December 28, 2007 17:41
> > From: "PANDI MOORTHY" <moorthypandi@gmail.com>
> >
> > > Hi
> > >
> > >
> > >
> > >
> > >
> > > Is there Cisco documentation to explain the real usage of this command
> > > "permit
> > > icmp any any traceroute"
> > >
> > >
> > >
> > > I am trying to capture the source which originate the traceroute
> > > packet,
> > >
> > >
> > >
> > > I understand we can use the below ACL to capture the traceroute return
> > > traffic (to the originator)
> > >
> > >
> > >
> > > permit icmp any any time-exceeded log-input
> > >
> > > permit icmp any any port-unreachable log-input
> > >
> > >
> > >
> > >
> > > How about on incoming side? is there a way to log
> > >
> > > Regards
> > > Pandi
> > >
> > > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST