From: Pavel Bykov (slidersv@gmail.com)
Date: Mon Nov 24 2008 - 19:02:07 ARST
Hi Gaurav.
Traceroute sends packets with small TTL, and they expire in transit.
So you need to block ICMP "TTL-EXPIRED IN TRANSIT" type message.
Blocking port also sends the message back (Administratively
prohibited)/Unreachable. But it's not registered by traceroute tool per se
(you'd need either smarter traceroute or debug/sniffer)
On Mon, Nov 24, 2008 at 2:57 PM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:
> HI Group
>
> Can someone please confirm if following do the same purpose or are diff :
>
> R1(config-if)#do sh ip access-li
> Extended IP access list TEST
> 10 deny icmp any any traceroute
> 20 permit ip any any
>
> Extended IP access list TEST1
> 10 deny udp any any range 33400 34400 log
> 20 permit ip any any
> I found 2nd one working for me ..
> I actually configured 1st ACL thinking it will work . but it didnt ..
> finally googled it to find UDP ports ..
> Can someone plzz lemme know where am i missing and how to test this one
>
> Gaurav Madan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Pavel Bykov ---------------- Don't forget to help stopping the braindumps, use of which reduces value of your certifications. Sign the petition at http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:32 ARST