RE: Traceroute Block

From: Scott M Vermillion (scott_ccie_list@it-ag.com)
Date: Mon Nov 24 2008 - 22:27:33 ARST

• Next message: Cisco Godfather: "RE: CCIE True Interview Story"
• Previous message: Hobbs: "Re: What exactly does this EIGRP command do?"
• Maybe in reply to: GAURAV MADAN: "Traceroute Block"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Not exactly. Two predominant implementations of traceroute:

ICMP (e.g. Windows, IIRC)

Sends ICMP echo-requests with incrementing TTL. The response from transit
routers is time-exceeded and the response from the ultimate target is simply
echo-reply.

UDP (e.g. IOS, *nix)

Sends from and to a UDP high port with incrementing TTL. The response from
transit routers is time-exceeded and the response from the ultimate target
is port-unreachable.

An interesting (even if a little old) article from Microsoft that discusses
both their implementation and that of UNIX that I just googled up:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnb
d_trb_ssis.mspx?mfr=true

From: But Nicky [mailto:lyredhair@gmail.com]
Sent: Monday, November 24, 2008 5:01 PM
To: Scott M Vermillion
Cc: GAURAV MADAN; ccie forum
Subject: Re: Traceroute Block

Hi all,
Traceroute uses three ICMP messages: echo (type: 8), time-exceeded (type:
11), port-unreachable (Type: 3, code:3).
pls correct me, if I am wrong.

Regards,
But Nguyen.

On Mon, Nov 24, 2008 at 11:25 PM, Scott M Vermillion
<scott_ccie_list@it-ag.com> wrote:

Hey Gaurav,

I believe that the 'traceroute' keyword has to do with ICMP Type Code 30
(http://www.iana.org/assignments/icmp-parameters). This never got any
traction and thus is pretty much a historical footnote in IOS.
(http://www.faqs.org/rfcs/rfc1393.html)

Just to prove this to yourself, do the following:

R1(config-ext-nacl)#deny icmp any any 30
R1(config-ext-nacl)#do sh ip access
Extended IP access list test

   10 deny icmp any any traceroute

Regards,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Monday, November 24, 2008 6:58 AM
To: ccie forum
Subject: Traceroute Block

HI Group

Can someone please confirm if following do the same purpose or are diff :

R1(config-if)#do sh ip access-li
Extended IP access list TEST
   10 deny icmp any any traceroute
   20 permit ip any any

Extended IP access list TEST1
   10 deny udp any any range 33400 34400 log
   20 permit ip any any
I found 2nd one working for me ..
I actually configured 1st ACL thinking it will work . but it didnt ..
finally googled it to find UDP ports ..
Can someone plzz lemme know where am i missing and how to test this one

Gaurav Madan

Blogs and organic groups at http://www.ccie.net

• Next message: Cisco Godfather: "RE: CCIE True Interview Story"
• Previous message: Hobbs: "Re: What exactly does this EIGRP command do?"
• Maybe in reply to: GAURAV MADAN: "Traceroute Block"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:32 ARST