RE: Need your help on traceroute

From: N P (np643237@gmail.com)
Date: Thu Jan 10 2008 - 06:35:58 ARST

• Next message: Farhan Anwar: "Re: Dot1q tunneling"
• Previous message: N P: "RE: FRAME-RELAY MAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Let us say you are SP A. You peer with few customers B, C. Your SP A has
more than two peering, let us say 2 for the time being X, Y.

You in your traffic engineering policy permit only your customers B, C to
your peer X for some reason. (not to Y) When the traffic to some destination
comes into your SP from your customers B or C, due to best path selection
let us say that goes to your provider Y. So when you trace the packet it
goes out using your peer Y but when it comes back there is no best path
through your peer Y as you did not advertise your customers through them.
But you have a path to your customer through your peer X since it is
advertised to them.

In effect traffic goes out through your peer Y but comes back through X.

This is just a scenario I have seen and experienced. May be there are more
on it.

Regards,

N P

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kim
Onnel
Sent: Wednesday, January 09, 2008 11:08 PM
To: Darby Weaver
Cc: Brian Dennis; Farrukh Haroon; Cisco certification
Subject: Re: Need your help on traceroute

Hi,

A little off topic.

Is it true that traceroute (in large networks) shows the return path but not
necessarily the outbound? since it might now be the same.

if true, what is the reason behind that?

What i am looking for is the scenarios when traceroute doesn't become
accurate while troubleshooting, specially in SP networks.

Thanks,
Kim

On Dec 29, 2007 1:01 PM, Darby Weaver <darbyweaver@yahoo.com> wrote:

> Another interesting tidbit.
>
> How would one think this may come across in a graded
> practice lab exam scenario?
>
> I've seen wording to the effect of a given task where
> one is asked to perform a traceroute when the given
> task is complete.
>
>
>
>
> --- Brian Dennis <bdennis@internetworkexpert.com>
> wrote:
>
> > We're referring to ICMP type 30 (traceroute) and not
> > the IP traceroute
> > option. ICMP type filtering has been in the IOS for
> > over 12 years (around
> > IOS version 10.3).
> >
> > Also if you read the RFC you'll get a better
> > understanding of the ICMP
> > traceroute type vs the IP traceroute option.
> >
> > Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> >
> > >----- Original Message -----
> > Subject: Re: Need your help on traceroute
> > Date: Fri, December 28, 2007 22:39
> > From: "Farrukh Haroon" <farrukhharoon@gmail.com>
> >
> > > I think the RFC 1393 traceroute implementation can
> > be matched on the IOS
> > > using the following command:
> > >
> > > "deny ip any any option traceroute"
> > >
> > > As described here:
> > >
> > >
> >
>
>
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chap
ter09186a0080716ebc.html
> > >
> > >
> >
>
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guid
e09186a00801d4a7d.html
> > >
> > > Btw I have no idea what the 'traceroute' keyword
> > does in the regular ICMP
> > > protocol access-lists. But honestly I don't think
> > the 'permit icmp any any
> > > traceroute' command matches on the RFC 1393 thing
> > simply because
> > > access-lists did not support matching on IP
> > Options back then :)
> > >
> > > Regards
> > >
> > > Farrukh
> > >
> > >
> > >
> > > On Dec 29, 2007 8:11 AM, Brian Dennis
> > <bdennis@internetworkexpert.com>
> > > wrote:
> > >
> > > > I tested out your theory for the record-route
> > option and it didn't appear
> > > > to hold up :-( Did you consider the ICMP type
> > of traceroute as
> > defined in
> > > > RFC 1393?
> > > >
> > > > Brian Dennis, CCIE4 #2210
> > (R&S/ISP-Dial/Security/SP)
> > > > bdennis@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > <http://www.internetworkexpert.com/>
> > > > Toll Free: 877-224-8987
> > > > Direct: 775-745-6404 (Outside the US and Canada)
> > > >
> > > >
> > > > >----- Original Message -----
> > > > Subject: RE: Need your help on traceroute
> > > > Date: Fri, December 28, 2007 20:36
> > > > From: "Scott Morris" <swm@emanon.com>
> > > >
> > > > > While I agree on the idea that there are
> > multiple ways of doing
> > > > traceroutes,
> > > > > I think the original question was about an ACL
> > with ICMP and the
> > > > > "traceroute" option.
> > > > >
> > > > > R1(config)#access-list 101 permit icmp any any
> > ?
> > > > > <0-255> ICMP message
> > type
> > > > > administratively-prohibited
> > Administratively prohibited
> > > > > alternate-address Alternate
> > address
> > > > > conversion-error Datagram
> > conversion
> > > > > dod-host-prohibited Host prohibited
> > > > > dod-net-prohibited Net prohibited
> > > > > dscp Match packets
> > with given dscp value
> > > > > echo Echo (ping)
> > > > > echo-reply Echo reply
> > > > > fragments Check
> > non-initial fragments
> > > > > general-parameter-problem Parameter
> > problem
> > > > > host-isolated Host isolated
> > > > > host-precedence-unreachable Host
> > unreachable for precedence
> > > > > host-redirect Host redirect
> > > > > host-tos-redirect Host redirect
> > for TOS
> > > > > host-tos-unreachable Host
> > unreachable for TOS
> > > > > host-unknown Host unknown
> > > > > host-unreachable Host
> > unreachable
> > > > > information-reply Information
> > replies
> > > > > information-request Information
> > requests
> > > > > log Log matches
> > against this entry
> > > > > log-input Log matches
> > against this entry,
> > including
> > > > > input
> > > > > interface
> > > > > mask-reply Mask replies
> > > > > mask-request Mask requests
> > > > > mobile-redirect Mobile host
> > redirect
> > > > > net-redirect Network
> > redirect
> > > > > net-tos-redirect Net redirect
> > for TOS
> > > > > net-tos-unreachable Network
> > unreachable for TOS
> > > > > net-unreachable Net unreachable
> > > > > network-unknown Network unknown
> > > > > no-room-for-option Parameter
> > required but no room
> > > > > option-missing Parameter
> > required but not present
> > > > > packet-too-big Fragmentation
> > needed and DF set
> > > > > parameter-problem All parameter
> > problems
> > > > > port-unreachable Port
> > unreachable
> > > > > precedence Match packets
> > with given precedence
> > value
> > > > > precedence-unreachable Precedence
> > cutoff
> > > > > protocol-unreachable Protocol
> > unreachable
> > > > > reassembly-timeout Reassembly
> > timeout
> > > > > redirect All redirects
> > > > > router-advertisement Router
> > discovery advertisements
> > > > > router-solicitation Router
> > discovery solicitations
> > > > > source-quench Source quenches
> > > > > source-route-failed Source route
> > failed
> > > > > time-exceeded All time
> > exceededs
> > > > > time-range Specify a
> > time-range
> > > > > timestamp-reply Timestamp
> > replies
> > > > > timestamp-request Timestamp
> > requests
> > > > > tos Match packets
> > with given TOS value
> > > > > traceroute Traceroute
> > > > > ttl-exceeded TTL exceeded
> > > > > unreachable All
> > unreachables
> > > > > <cr>
> > > > >
> > > > > R1(config)#
> > > > >
> > > > > There are lots of things listed, and most have
> > to do with the specific
> > > > > types/codes laid out in RFC792. However, I
> > believe (and no, I haven't
> > > > > tested this) that the traceroute option here
> > is specifically looking
> > for
> > > > > option 7 of the header (RFC791) allowing the
> > record route feature of
> > > > ICMP.
> > > > >
> > > > > Just my thoughts, but since everything else
> > really is specific to ICMP
> > > > here,
> > > > > it would seem strange to either not filter
> > based on that or simply
> > > > ignore
> > > > > it.
> > > > >
> > > > > HTH,
> > > > >
> > > > >
> > > > > Scott Morris, CCIE4
> > (R&amp;S/ISP-Dial/Security/Service Provider)
> > #4713,
> > > > JNCIE-M
> > > > > #153, JNCIS-ER, CISSP, et al.
> > > > > CCSI/JNCI-M/JNCI-ER
> > > > > VP - Technical Training - IPexpert, Inc.
> > > > > IPexpert Sr. Technical Instructor
> > > > >
> > > > > A Cisco Learning Partner - We Accept Learning
> > Credits!
> > > > >
> > > > > smorris@ipexpert.com
> > > > >
> > > > >
> > > > >
> > > > > Telephone: +1.810.326.1444
> > > > > Fax: +1.810.454.0130
> > > > > http://www.ipexpert.com
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > > > > Brian Dennis
> > > > > Sent: Friday, December 28, 2007 10:16 PM
> > > > > To: PANDI MOORTHY; Cisco certification
> > > > > Subject: Re: Need your help on traceroute
> > > > >
> > > > > Here is a reply that I've made on this list in
> > the past in regards to
> > > > > traceroute:
> > > > >
> > > > > Note that traceroute is a technique to have
> > the routers between the
> > > > source
> > > > > and destination reveal themselves and finally
> > have the destination
> > > > reveal
> > > > > itself by replying to a "packet". Traceroute
> > can be implemented using
> > > > ICMP,
> > > > > UDP, and even TCP so as a CCIE when someone
> > asks you to filter
> > > > "traceroute"
> > > > > you should get a little background as to the
> > traceroute
> > application/OS's
> > > > > being used to trigger the reply from the
> > destination.
> > > > > Example: Windows uses ICMP echoes by default,
> > most Linux OS's use
> > UDP by
> > > > > default but can use ICMP echoes (-I option),
> > and the IOS uses UDP.
> > > > There
> > > > > are also implementations that use TCP.
> > > > >
> > > > > The goal of traceroute is to have the routers
> > between the source and
> > > > > destination reveal themselves and finally have
> > the destination reply so
> > > > that
> > > > > you know you have reached it. The routers
> > reveal themselves by sending
> > > > Time
> > > > > Exceeded (aka TTL-Exceeded) ICMP packets back
> > to the source when the
> > TTL
> > > > is
> > > > > decremented to zero. The traceroute
> > implementation can determine its
> > > > > reached the destination by having it reply to
> > an ICMP echo request,
> > send
> > > > an
> > > > > ICMP port unreachable to a packet sent to an
> > unused UDP port, or
> > > > completing
> > > > > the TCP three-way handshake.
> > > > >
> > > > >
> > > > >
> >
> ************************************************************************
> > > > >
> > > > > ICMP based traceroute:
> > > > >
> > > > > In this example we are sending ICMP echo
> > requests to www.cisco.com and
> > > > > looking for the ICMP echo reply to know that
> > we have reached the final
> > > > > destination.
> > > > >
> > > > > [root@xxxxxx root]# traceroute -I
> > www.cisco.com traceroute to
> > > > www.cisco.com
> > > > > (198.133.219.25), 30 hops max, 38 byte packets
> > > > > 1 198.132.102.1 (198.132.102.1) 1.658 ms
> > 1.975 ms 1.968 ms
> > > > > 2 foo.hostrack.net (202.101.143.254) 5.394
> > ms 22.382 ms 2.966 ms
> > > > > 3 ser4-0.core01.las.switchcommgroup.com
> > (66.209.64.41) 20.132 ms
> > > > > 20.494 ms 20.195 ms
> > > > > 4
> > pos1-0.core02.las.oc48a.switchcommgroup.com
> > (66.209.64.218)
> > 19.749ms
> > > > > 25.827 ms 26.814 ms
> > > > > 5
> >
> 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > > 157.130.238.193) 29.108 ms 19.864 ms
> > > > > 20.066 ms
> > > > > 6
> >
> 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > > 152.63.115.26) 26.338 ms 26.232 ms
> > > > > 26.821 ms
> > > > > 7
> >
> 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > > 152.63.55.101) 46.424 ms 45.996 ms
> > > > > 45.675 ms
> > > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> > <http://pos1-0.xr1.sjc2.alter.net/> (
> > > > 152.63.56.138) 48.653 ms 46.513 ms
> > > > > 46.803 ms
> > > > > 9
> >
> 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > > 152.63.48.77) 46.693 ms 46.619 ms
> > > > > 46.446 ms
> > > > > 10 ciscosys-gw1.customer.alter.net
> > (65.208.80.242) 46.556 ms
> > 46.954ms
> > > > > 46.944 ms
> > > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> > 30.818 ms 31.769 ms
> > > > > 32.685 ms
> > > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> > 30.589 ms 30.626 ms
> > > > > 30.448 ms
> > > > > 13 * * *
> > > > > 14 www.cisco.com (198.133.219.25) 28.916 ms
> > 28.994 ms 28.944 ms
> > > > >
> >
> ************************************************************************
> > > > >
> > > > > UDP based traceroute:
> > > > > In this example we are sending UDP packets
> > with a starting port number
> > > > of
> > > > > 33434 to www.cisco.com. Note that we don't
> > ever get a reply from
> > > > > www.cisco.com because their firewall will not
> > allow our UDP packets in.
> > > > >
> > > > > [root@xxxxxx root]# man traceroute | grep "UDP
> > port number"
> > > > > -p Set the base UDP port number
> > used in probes (default is
> > > > > 33434).
> > > > > [root@xxxxxx root]#
> > > > > [root@xxxxxx root]# traceroute www.cisco.com
> > traceroute to
> > www.cisco.com
> > > > > (198.133.219.25), 30 hops max, 38 byte packets
> > > > > 1 198.132.102.1 (198.132.102.1) 1.725 ms
> > 1.866 ms 1.841 ms
> > > > > 2 foo.hostrack.net (202.101.143.254) 4.887
> > ms 4.281 ms 4.482 ms
> > > > > 3 ser4-0.core01.las.switchcommgroup.com
> > (66.209.64.41) 21.266 ms
> > > > > 21.152 ms 20.826 ms
> > > > > 4
> > pos1-0.core02.las.oc48a.switchcommgroup.com
> > (66.209.64.218)
> > 58.829ms
> > > > > 42.033 ms 24.007 ms
> > > > > 5
> >
> 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > > 157.130.238.193) 21.448 ms 23.277 ms
> > > > > 21.446 ms
> > > > > 6
> >
> 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > > 152.63.115.26) 27.816 ms 27.259 ms
> > > > > 27.210 ms
> > > > > 7
> >
> 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > > 152.63.55.101) 47.540 ms 46.954 ms
> > > > > 47.198 ms
> > > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> > <http://pos1-0.xr1.sjc2.alter.net/> (
> > > > 152.63.56.138) 48.072 ms 47.247 ms
> > > > > 46.667 ms
> > > > > 9
> >
> 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > > 152.63.48.77) 51.728 ms 51.437 ms
> > > > > 48.304 ms
> > > > > 10 ciscosys-gw1.customer.alter.net
> > (65.208.80.242) 48.563 ms
> > 48.878ms
> > > > > 47.807 ms
> > > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> > 31.562 ms 32.653 ms
> > > > > 31.318 ms
> > > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> > 32.327 ms 31.831 ms
> > > > > 31.516 ms
> > > > > 13 * * *
> > > > > 14 * * *
> > > > >
> > > > >
> >
> ************************************************************************
> > > > > TCP based traceroute:
> > > > >
> > > > > In this example we are sending TCP SYN packets
> > to port 80 looking for
> > > > the
> > > > > destination to complete the
> > three-way-handshake. Once the handshake is
> > > > > complete we know that we have reached the
> > destination. Obviously
> > > > Cisco's
> > > > > firewall is going to allow packets to TCP port
> > 80 destined for it's web
> > > > > server.
> > > > >
> > > > > [root@xxxxxx root]# tcptraceroute
> > www.cisco.com
> > > > > tcptraceroute: Symbol `pcap_version' has
> > different size in shared
> > > > object,
> > > > > consider re-linking Selected device eth3,
> > address 198.132.102.93, port
> > > > 41440
> > > > > for outgoing packets Tracing the path to
> > www.cisco.com (198.133.219.25)
> > > > on
> > > > > TCP port 80, 30 hops max
> > > > > 1 198.132.102.1 (198.132.102.1) 1.575 ms
> > 1.507 ms 1.469 ms
> > > > > 2 foo.hostrack.net (202.101.143.254) 4.840
> > ms 5.090 ms 4.596 ms
> > > > > 3 ser4-0.core01.las.switchcommgroup.com
> > (66.209.64.41) 21.205 ms
> > > > > 20.895 ms 21.430 ms
> > > > > 4
> > pos1-0.core02.las.oc48a.switchcommgroup.com
> > (66.209.64.218)
> > 21.682ms
> > > > > 21.012 ms 21.059 ms
> > > > > 5
> >
> 500.POS4-0.GW1.VEG2.alter.net<http://500.pos4-0.gw1.veg2.alter.net/>(
> > > > 157.130.238.193) 21.185 ms 21.304 ms
> > > > > 20.939 ms
> > > > > 6
> >
> 129.at-0-0-0.CL1.PHX2.ALTER.NET<http://129.at-0-0-0.cl1.phx2.alter.net/>(
> > > > 152.63.115.26) 27.176 ms 28.615 ms
> > > > > 27.644 ms
> > > > > 7
> >
> 0.so-4-0-0.XL1.SJC2.ALTER.NET<http://0.so-4-0-0.xl1.sjc2.alter.net/>(
> > > > 152.63.55.101) 47.659 ms 48.220 ms
> > > > > 47.667 ms
> > > > > 8 POS1-0.XR1.SJC2.ALTER.NET
> > <http://pos1-0.xr1.sjc2.alter.net/> (
> > > > 152.63.56.138) 47.534 ms 48.483 ms
> > > > > 47.183 ms
> > > > > 9
> >
> 193.ATM7-0.GW5.SJC2.ALTER.NET<http://193.atm7-0.gw5.sjc2.alter.net/>(
> > > > 152.63.48.77) 64.413 ms 51.058 ms
> > > > > 49.007 ms
> > > > > 10 ciscosys-gw1.customer.alter.net
> > (65.208.80.242) 48.156 ms
> > 49.197ms
> > > > > 47.534 ms
> > > > > 11 sjce-dmzbb-gw1.cisco.com (128.107.239.89)
> > 31.685 ms 32.633
> > > > ms32.895 ms
> > > > > 12 sjck-dmzdc-gw1.cisco.com (128.107.224.69)
> > 32.291 ms 33.900
> > > > ms35.461 ms
> > > > > 13 www.cisco.com (198.133.219.25) [open]
> > 31.041 ms 31.667 ms
> > 32.775ms
> > > > > [root@xxxxxx root]#
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian Dennis, CCIE4 #2210
> > (R&amp;S/ISP-Dial/Security/SP)
> > > > > bdennis@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > <http://www.internetworkexpert.com/>
> > > > > Toll Free: 877-224-8987
> > > > > Direct: 775-745-6404 (Outside the US and
> > Canada)
> > > > >
> > > > >
> > > > > >----- Original Message -----
> > > > > Subject: Need your help on traceroute
> > > > > Date: Fri, December 28, 2007 17:41
> > > > > From: "PANDI MOORTHY" <moorthypandi@gmail.com>
> > > > >
> > > > > > Hi
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Is there Cisco documentation to explain the
> > real usage of this
> > command
> > > > > > "permit
> > > > > > icmp any any traceroute"
> > > > > >
> > > > > >
> > > > > >
> > > > > > I am trying to capture the source which
> > originate the traceroute
> > > > > > packet,
> > > > > >
> > > > > >
> > > > > >
> > > > > > I understand we can use the below ACL to
> > capture the traceroute
> > return
> > > > > > traffic (to the originator)
> > > > > >
> > > > > >
> > > > > >
> > > > > > permit icmp any any time-exceeded log-input
> > > > > >
> > > > > > permit icmp any any port-unreachable
> > log-input
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > How about on incoming side? is there a way
> > to log
> > > > > >
> > > > > > Regards
> > > > > > Pandi
> > > > > >
> > > > > >
> >
> ______________________________________________________________________
> > > > > > _ Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> >
> _______________________________________________________________________
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Farhan Anwar: "Re: Dot1q tunneling"
• Previous message: N P: "RE: FRAME-RELAY MAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST