From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sat Feb 28 2009 - 09:08:44 ARST
Right,
Cisco routers work with UDP and returns ICMP port-unreacheable and
time-exceeded. So first UDP and the return packet is ICMP. Regarfing the
RACL, just make sure you allow come back ICMP port-unreacheable and
time-exceeded inside inbound ACL and of course allow UDP inside outbound
ACL.
Rack1R6#sh run int Virtual-Access1
Building configuration...
Current configuration : 126 bytes
!
interface Virtual-Access1
ip address 54.1.7.6 255.255.255.0
ip access-group inbound in
ip access-group outbound out
end
Rack1R6#
Rack1R6#sh ip access-lists inbound
Extended IP access list inbound
10 permit tcp any any eq bgp (46481 matches)
20 permit tcp any eq bgp any
21 permit icmp any any port-unreachable (19 matches)
22 permit icmp any any time-exceeded
30 evaluate ME
40 permit icmp any any echo-reply
50 deny ip any any log (229160 matches)
Rack1R6#
Rack1R6#sh ip access-lists outbound
Extended IP access list outbound
10 permit tcp any any reflect ME
20 permit udp any any reflect ME (273 matches)
30 permit icmp any any
40 deny ip any any log
Rack1R6#
Rack1R6#sh ip cef exact-route 183.1.123.2 54.1.7.254
183.1.123.2 -> 54.1.7.254 : Virtual-Access1 (attached)
Rack1R6#
So let's go to Rack1R2 (183.1.123.2):
Rack1R2#traceroute 54.1.7.254
Type escape sequence to abort.
Tracing the route to 54.1.7.254
1 183.1.123.3 20 msec 8 msec 0 msec
2 183.1.0.5 4 msec 4 msec 0 msec
3 183.1.0.4 4 msec 4 msec 4 msec
4 183.1.46.6 4 msec 4 msec 4 msec
5
*Feb 28 11:51:46.523: ICMP: time exceeded rcvd from 183.1.123.3
*Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
*Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
*Feb 28 11:51:46.535: ICMP: time exceeded rcvd from 183.1.0.5
*Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
*Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
*Feb 28 11:51:46.543: ICMP: time exceeded rcvd from 183.1.0.4
*Feb 28 11:51:46.547: ICMP: time exceeded rcvd from 183.1.0.4
*Feb 28 11:51:46.551: ICMP: time exceeded rcvd from 183.1.0.4
*Feb 28 11:51:46.555: ICMP: time exceeded rcvd from 183.1.46.6
*Feb 28 11:51:46.559: ICMP: time exceeded rcvd from 183.1.46.6
*Feb 28 11:51:46.563: ICMP: time exceeded rcvd from 183.1.46.6 * * *
6 * * *
7 54.1.7.254 4 msec
*Feb 28 11:52:04.567: ICMP: dst (183.1.123.2) port unreachable rcv from
54.1.7.254 * 4 msec
Rack1R2#
Rack1R6#sh ip access-lists ME
Reflexive IP access list ME
permit udp host 54.1.7.254 eq 33448 host 183.1.123.2 eq 41606 (1 match)
(time left 296)
permit udp host 54.1.7.254 eq 33447 host 183.1.123.2 eq 33667 (1 match)
(time left 296)
permit udp host 54.1.7.254 eq 33446 host 183.1.123.2 eq 33777 (1 match)
(time left 293)
Rack1R6#
Now, regarding the "access-list 100 permit icmp any any traceroute", I
wonder the same before but after make some digging I realize that this is
just a kind of historical command, defined in RFC 1393. No more than this,
haven't see any application in the real life.
Do any one ?
Regards
----- Original Message -----
From: "mahmoud genidy" <ccie.mahmoud@gmail.com>
To: "Cisco certification" <ccielab@groupstudy.com>
Sent: Friday, February 27, 2009 7:11 PM
Subject: Traceroute and RACL
> Hi GS,
>
> Regarding the TRACEROUTE traffic and how it is related to Reflexive ACL.
>
> According to Cisco implementation the TRACEROUTE traffic goes out as UDP
> and
> return as ICMP (Port unreachable and Time-Exceeded). Am I correct?!
>
> BUT I found this command in the DOC CD:
>
> { Router(config)# *access-list 100 permit icmp any any traceroute* }
>
> Then I found that TRACEROUTE is ICMP type 30. Now I'm confused how to
> match
> it in the OUT and IN direction if I will use RACL!
>
> Any hints?
>
> Thanks
> Mahmoud.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:13 ARST