From: Scott M Vermillion (scott_ccie_list@it-ag.com)
Date: Mon Nov 24 2008 - 14:25:45 ARST
Hey Gaurav,
I believe that the 'traceroute' keyword has to do with ICMP Type Code 30
(http://www.iana.org/assignments/icmp-parameters). This never got any
traction and thus is pretty much a historical footnote in IOS.
(http://www.faqs.org/rfcs/rfc1393.html)
Just to prove this to yourself, do the following:
R1(config-ext-nacl)#deny icmp any any 30
R1(config-ext-nacl)#do sh ip access
Extended IP access list test
10 deny icmp any any traceroute
Regards,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Monday, November 24, 2008 6:58 AM
To: ccie forum
Subject: Traceroute Block
HI Group
Can someone please confirm if following do the same purpose or are diff :
R1(config-if)#do sh ip access-li
Extended IP access list TEST
10 deny icmp any any traceroute
20 permit ip any any
Extended IP access list TEST1
10 deny udp any any range 33400 34400 log
20 permit ip any any
I found 2nd one working for me ..
I actually configured 1st ACL thinking it will work . but it didnt ..
finally googled it to find UDP ports ..
Can someone plzz lemme know where am i missing and how to test this one
Gaurav Madan
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST