From: Darby Weaver (darbyweaver@yahoo.com)
Date: Sat Dec 29 2007 - 08:01:20 ART
Another interesting tidbit.
How would one think this may come across in a graded
practice lab exam scenario?
I've seen wording to the effect of a given task where
one is asked to perform a traceroute when the given
task is complete.
--- Brian Dennis <bdennis@internetworkexpert.com>
wrote:
> We're referring to ICMP type 30 (traceroute) and not
> the IP traceroute
> option. ICMP type filtering has been in the IOS for
> over 12 years (around
> IOS version 10.3).
>
> Also if you read the RFC you'll get a better
> understanding of the ICMP
> traceroute type vs the IP traceroute option.
>
> Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
>
> >----- Original Message -----
> Subject: Re: Need your help on traceroute
> Date: Fri, December 28, 2007 22:39
> From: "Farrukh Haroon" <farrukhharoon@gmail.com>
>
> > I think the RFC 1393 traceroute implementation can
> be matched on the IOS
> > using the following command:
> >
> > "deny ip any any option traceroute"
> >
> > As described here:
> >
> >
>
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716ebc.html
> >
> >
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d4a7d.html
> >
> > Btw I have no idea what the 'traceroute' keyword
> does in the regular ICMP
> > protocol access-lists. But honestly I don't think
> the 'permit icmp any any
> > traceroute' command matches on the RFC 1393 thing
> simply because
> > access-lists did not support matching on IP
> Options back then :)
> >
> > Regards
> >
> > Farrukh
> >
> >
> >
> > On Dec 29, 2007 8:11 AM, Brian Dennis
> <bdennis@internetworkexpert.com>
> > wrote:
> >
> > > I tested out your theory for the record-route
> option and it didn't appear
> > > to hold up :-( Did you consider the ICMP type
> of traceroute as
> defined in
> > > RFC 1393?
> > >
> > > Brian Dennis, CCIE4 #2210
> (R&S/ISP-Dial/Security/SP)
> > > bdennis@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> <http://www.internetworkexpert.com/>
> > > Toll Free: 877-224-8987
> > > Direct: 775-745-6404 (Outside the US and Canada)
> > >
> > >
> > > >----- Original Message -----
> > > Subject: RE: Need your help on traceroute
> > > Date: Fri, December 28, 2007 20:36
> > > From: "Scott Morris" <swm@emanon.com>
> > >
> > > > While I agree on the idea that there are
> multiple ways of doing
> > > traceroutes,
> > > > I think the original question was about an ACL
> with ICMP and the
> > > > "traceroute" option.
> > > >
> > > > R1(config)#access-list 101 permit icmp any any
> ?
> > > > <0-255> ICMP message
> type
> > > > administratively-prohibited
> Administratively prohibited
> > > > alternate-address Alternate
> address
> > > > conversion-error Datagram
> conversion
> > > > dod-host-prohibited Host prohibited
> > > > dod-net-prohibited Net prohibited
> > > > dscp Match packets
> with given dscp value
> > > > echo Echo (ping)
> > > > echo-reply Echo reply
> > > > fragments Check
> non-initial fragments
> > > > general-parameter-problem Parameter
> problem
> > > > host-isolated Host isolated
> > > > host-precedence-unreachable Host
> unreachable for precedence
> > > > host-redirect Host redirect
> > > > host-tos-redirect Host redirect
> for TOS
> > > > host-tos-unreachable Host
> unreachable for TOS
> > > > host-unknown Host unknown
> > > > host-unreachable Host
> unreachable
> > > > information-reply Information
> replies
> > > > information-request Information
> requests
> > > > log Log matches
> against this entry
> > > > log-input Log matches
> against this entry,
> including
> > > > input
> > > > interface
> > > > mask-reply Mask replies
> > > > mask-request Mask requests
> > > > mobile-redirect Mobile host
> redirect
> > > > net-redirect Network
> redirect
> > > > net-tos-redirect Net redirect
> for TOS
> > > > net-tos-unreachable Network
> unreachable for TOS
> > > > net-unreachable Net unreachable
> > > > network-unknown Network unknown
> > > > no-room-for-option Parameter
> required but no room
> > > > option-missing Parameter
> required but not present
> > > > packet-too-big Fragmentation
> needed and DF set
> > > > parameter-problem All parameter
> problems
> > > > port-unreachable Port
> unreachable
> > > > precedence Match packets
> with given precedence
> value
> > > > precedence-unreachable Precedence
> cutoff
> > > > protocol-unreachable Protocol
> unreachable
> > > > reassembly-timeout Reassembly
> timeout
> > > > redirect All redirects
> > > > router-advertisement Router
> discovery advertisements
> > > > router-solicitation Router
> discovery solicitations
> > > > source-quench Source quenches
> > > > source-route-failed Source route
> failed
> > > > time-exceeded All time
> exceededs
> > > > time-range Specify a
> time-range
> > > > timestamp-reply Timestamp
> replies
> > > > timestamp-request Timestamp
> requests
> > > > tos Match packets
> with given TOS value
> > > > traceroute Traceroute
> > > > ttl-exceeded TTL exceeded
> > > > unreachable All
> unreachables
> > > > <cr>
> > > >
> > > > R1(config)#
> > > >
> > > > There are lots of things listed, and most have
> to do with the specific
> > > > types/codes laid out in RFC792. However, I
> believe (and no, I haven't
> > > > tested this) that the traceroute option here
> is specifically looking
> for
> > > > option 7 of the header (RFC791) allowing the
> record route feature of
> > > ICMP.
> > > >
> > > > Just my thoughts, but since everything else
> really is specific to ICMP
> > > here,
> > > > it would seem strange to either not filter
> based on that or simply
> > > ignore
> > > > it.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > Scott Morris, CCIE4
> (R&amp;S/ISP-Dial/Security/Service Provider)
> #4713,
> > > JNCIE-M
> > > > #153, JNCIS-ER, CISSP, et al.
> > > > CCSI/JNCI-M/JNCI-ER
> > > > VP - Technical Training - IPexpert, Inc.
> > > > IPexpert Sr. Technical Instructor
> > > >
> > > > A Cisco Learning Partner - We Accept Learning
> Credits!
> > > >
> > > > smorris@ipexpert.com
> > > >
> > > >
> > > >
> > > > Telephone: +1.810.326.1444
> > > > Fax: +1.810.454.0130
> > > > http://www.ipexpert.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > > > Brian Dennis
> > > > Sent: Friday, December 28, 2007 10:16 PM
> > > > To: PANDI MOORTHY; Cisco certification
> > > > Subject: Re: Need your help on traceroute
> > > >
> > > > Here is a reply that I've made on this list in
> the past in regards to
> > > > traceroute:
> > > >
> > > > Note that traceroute is a technique to have
> the routers between the
> > > source
> > > > and destination reveal themselves and finally
> have the destination
> > > reveal
> > > > itself by replying to a "packet". Traceroute
> can be implemented using
> > > ICMP,
> > > > UDP, and even TCP so as a CCIE when someone
> asks you to filter
> > > "traceroute"
> > > > you should get a little background as to the
> traceroute
> application/OS's
> > > > being used to trigger the reply from the
> destination.
> > > > Example: Windows uses ICMP echoes by default,
> most Linux OS's use
> UDP by
> > > > default but can use ICMP echoes (-I option),
> and the IOS uses UDP.
> > > There
> > > > are also implementations that use TCP.
> > > >
> > > > The goal of traceroute is to have the routers
> between the source and
> > > > destination reveal themselves and finally have
> the destination reply so
> > > that
> > > > you know you have reached it. The routers
> reveal themselves by sending
> > > Time
> > > > Exceeded (aka TTL-Exceeded) ICMP packets back
> to the source when the
> TTL
> > > is
> > > > decremented to zero. The traceroute
> implementation can determine its
> > > > reached the destination by having it reply to
> an ICMP echo request,
> send
> > > an
> > > > ICMP port unreachable to a packet sent to an
> unused UDP port, or
> > > completing
> > > > the TCP three-way handshake.
> > > >
> > > >
> > > >
>
************************************************************************
> > > >
> > > > ICMP based traceroute:
> > > >
> > > > In this example we are sending ICMP echo
> requests to www.cisco.com and
> > > > looking for the ICMP echo reply to know that
> we have reached the final
> > > > destination.
> > > >
> > > > [root@xxxxxx root]# traceroute -I
> www.cisco.com traceroute to
> > > www.cisco.com
> > > > (198.133.219.25), 30 hops max, 38 byte packets
> > > > 1 198.132.102.1 (198.132.102.1) 1.658 ms
> 1.975 ms 1.968 ms
> > > > 2 foo.hostrack.net (202.101.143.254) 5.394
> ms 22.382 ms 2.966 ms
> > > > 3 ser4-0.core01.las.switchcommgroup.com
> (66.209.64.41) 20.132 ms
> > > > 20.494 ms 20.195 ms
> > > > 4
> pos1-0.core02.las.oc48a.switchcommgroup.com
> (66.209.64.218)
> 19.749ms
> > > > 25.827 ms 26.814 ms
> > > > 5
>
500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > 157.130.238.193) 29.108 ms 19.864 ms
> > > > 20.066 ms
> > > > 6
>
129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > 152.63.115.26) 26.338 ms 26.232 ms
> > > > 26.821 ms
> > > > 7
>
0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > 152.63.55.101) 46.424 ms 45.996 ms
> > > > 45.675 ms
> > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> <http://pos1-0.xr1.sjc2.alter.net/> (
> > > 152.63.56.138) 48.653 ms 46.513 ms
> > > > 46.803 ms
> > > > 9
>
193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > 152.63.48.77) 46.693 ms 46.619 ms
> > > > 46.446 ms
> > > > 10 ciscosys-gw1.customer.alter.net
> (65.208.80.242) 46.556 ms
> 46.954ms
> > > > 46.944 ms
> > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> 30.818 ms 31.769 ms
> > > > 32.685 ms
> > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> 30.589 ms 30.626 ms
> > > > 30.448 ms
> > > > 13 * * *
> > > > 14 www.cisco.com (198.133.219.25) 28.916 ms
> 28.994 ms 28.944 ms
> > > >
>
************************************************************************
> > > >
> > > > UDP based traceroute:
> > > > In this example we are sending UDP packets
> with a starting port number
> > > of
> > > > 33434 to www.cisco.com. Note that we don't
> ever get a reply from
> > > > www.cisco.com because their firewall will not
> allow our UDP packets in.
> > > >
> > > > [root@xxxxxx root]# man traceroute | grep "UDP
> port number"
> > > > -p Set the base UDP port number
> used in probes (default is
> > > > 33434).
> > > > [root@xxxxxx root]#
> > > > [root@xxxxxx root]# traceroute www.cisco.com
> traceroute to
> www.cisco.com
> > > > (198.133.219.25), 30 hops max, 38 byte packets
> > > > 1 198.132.102.1 (198.132.102.1) 1.725 ms
> 1.866 ms 1.841 ms
> > > > 2 foo.hostrack.net (202.101.143.254) 4.887
> ms 4.281 ms 4.482 ms
> > > > 3 ser4-0.core01.las.switchcommgroup.com
> (66.209.64.41) 21.266 ms
> > > > 21.152 ms 20.826 ms
> > > > 4
> pos1-0.core02.las.oc48a.switchcommgroup.com
> (66.209.64.218)
> 58.829ms
> > > > 42.033 ms 24.007 ms
> > > > 5
>
500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > 157.130.238.193) 21.448 ms 23.277 ms
> > > > 21.446 ms
> > > > 6
>
129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > 152.63.115.26) 27.816 ms 27.259 ms
> > > > 27.210 ms
> > > > 7
>
0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > 152.63.55.101) 47.540 ms 46.954 ms
> > > > 47.198 ms
> > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> <http://pos1-0.xr1.sjc2.alter.net/> (
> > > 152.63.56.138) 48.072 ms 47.247 ms
> > > > 46.667 ms
> > > > 9
>
193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > 152.63.48.77) 51.728 ms 51.437 ms
> > > > 48.304 ms
> > > > 10 ciscosys-gw1.customer.alter.net
> (65.208.80.242) 48.563 ms
> 48.878ms
> > > > 47.807 ms
> > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> 31.562 ms 32.653 ms
> > > > 31.318 ms
> > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> 32.327 ms 31.831 ms
> > > > 31.516 ms
> > > > 13 * * *
> > > > 14 * * *
> > > >
> > > >
>
************************************************************************
> > > > TCP based traceroute:
> > > >
> > > > In this example we are sending TCP SYN packets
> to port 80 looking for
> > > the
> > > > destination to complete the
> three-way-handshake. Once the handshake is
> > > > complete we know that we have reached the
> destination. Obviously
> > > Cisco's
> > > > firewall is going to allow packets to TCP port
> 80 destined for it's web
> > > > server.
> > > >
> > > > [root@xxxxxx root]# tcptraceroute
> www.cisco.com
> > > > tcptraceroute: Symbol `pcap_version' has
> different size in shared
> > > object,
> > > > consider re-linking Selected device eth3,
> address 198.132.102.93, port
> > > 41440
> > > > for outgoing packets Tracing the path to
> www.cisco.com (198.133.219.25)
> > > on
> > > > TCP port 80, 30 hops max
> > > > 1 198.132.102.1 (198.132.102.1) 1.575 ms
> 1.507 ms 1.469 ms
> > > > 2 foo.hostrack.net (202.101.143.254) 4.840
> ms 5.090 ms 4.596 ms
> > > > 3 ser4-0.core01.las.switchcommgroup.com
> (66.209.64.41) 21.205 ms
> > > > 20.895 ms 21.430 ms
> > > > 4
> pos1-0.core02.las.oc48a.switchcommgroup.com
> (66.209.64.218)
> 21.682ms
> > > > 21.012 ms 21.059 ms
> > > > 5
>
500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > 157.130.238.193) 21.185 ms 21.304 ms
> > > > 20.939 ms
> > > > 6
>
129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > 152.63.115.26) 27.176 ms 28.615 ms
> > > > 27.644 ms
> > > > 7
>
0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > 152.63.55.101) 47.659 ms 48.220 ms
> > > > 47.667 ms
> > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> <http://pos1-0.xr1.sjc2.alter.net/> (
> > > 152.63.56.138) 47.534 ms 48.483 ms
> > > > 47.183 ms
> > > > 9
>
193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > 152.63.48.77) 64.413 ms 51.058 ms
> > > > 49.007 ms
> > > > 10 ciscosys-gw1.customer.alter.net
> (65.208.80.242) 48.156 ms
> 49.197ms
> > > > 47.534 ms
> > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> 31.685 ms 32.633
> > > ms32.895 ms
> > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> 32.291 ms 33.900
> > > ms35.461 ms
> > > > 13 www.cisco.com (198.133.219.25) [open]
> 31.041 ms 31.667 ms
> 32.775ms
> > > > [root@xxxxxx root]#
> > > >
> > > >
> > > > HTH,
> > > >
> > > > Brian Dennis, CCIE4 #2210
> (R&amp;S/ISP-Dial/Security/SP)
> > > > bdennis@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> <http://www.internetworkexpert.com/>
> > > > Toll Free: 877-224-8987
> > > > Direct: 775-745-6404 (Outside the US and
> Canada)
> > > >
> > > >
> > > > >----- Original Message -----
> > > > Subject: Need your help on traceroute
> > > > Date: Fri, December 28, 2007 17:41
> > > > From: "PANDI MOORTHY" <moorthypandi@gmail.com>
> > > >
> > > > > Hi
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Is there Cisco documentation to explain the
> real usage of this
> command
> > > > > "permit
> > > > > icmp any any traceroute"
> > > > >
> > > > >
> > > > >
> > > > > I am trying to capture the source which
> originate the traceroute
> > > > > packet,
> > > > >
> > > > >
> > > > >
> > > > > I understand we can use the below ACL to
> capture the traceroute
> return
> > > > > traffic (to the originator)
> > > > >
> > > > >
> > > > >
> > > > > permit icmp any any time-exceeded log-input
> > > > >
> > > > > permit icmp any any port-unreachable
> log-input
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > How about on incoming side? is there a way
> to log
> > > > >
> > > > > Regards
> > > > > Pandi
> > > > >
> > > > >
>
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST