From: Scott M Vermillion (scott_ccie_list@it-ag.com)
Date: Fri Oct 17 2008 - 17:44:51 ART
A couple of things that might be a good idea to familiarize yourself with:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note091
86a00800a6057.shtml
(this explains *Cisco's* implementation of traceroute, which is not
necessarily the exact implementation you will find in, say, Windows)
Once you understand that, it helps to know all of the ICMP types and codes:
http://www.iana.org/assignments/icmp-parameters
Finally, go to the CLI and look at your options when you do 'deny icmp any
any ?' in an extended ACL
Exactly how you might go about constructing your ACL will depend on what
you're trying to block and in what direction. In other words, is it
sufficient to block "icmp port unreachable" and/or "icmp time exceeded" in
the return path but allow "icmp echo reply?" There's a difference between
_breaking_ traceroute and outright disallowing it from leaving a network
(the latter requiring you to look at both flavors of traceroute and evaluate
whether or not you might wind up breaking something in addition). So on and
so on...
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie820@gmail.com
Sent: Friday, October 17, 2008 1:55 PM
To: ccielab@groupstudy.com
Subject: Access list question
*All,
Is there way to block traceroutes and allow pings ?
Your help will be very much appreciated.
GG
*
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:21 ARST