topic Re: Blocking a specific IP in traceroute on IOS-XR in Network Security

Blocking a specific IP in traceroute on IOS-XR

network_geek — Tue, 26 Jan 2021 05:24:46 GMT

Hi All,

I am faced with a very strange problem. My internal network contains IPs from 172.16.X.X subnet. I want to block a certain IP from appearing in traceroute(this IP belongs to an uplink hosted in my own AS) and I can easily do things anyone suggests. Any leads to achieve this task will be highly appreciated.

Re: Blocking a specific IP in traceroute on IOS-XR

Mohammed al Baqari — Tue, 26 Jan 2021 06:53:20 GMT

Hi,

If it's an MPLS cloud, disable TTL propagation as below.

https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/26585-mpls-traceroute.html#no_mpls

If its not an MPLS, you can use a combination of NAT, Loopback and local
policy route-maps to use dummy IPs on your loopbacks to appear in
traceroute instead of your LAN IPs.

Finally, I suggest posting this in routing forum to get more detailed
answers.

***** please remember to rate useful posts

Re: Blocking a specific IP in traceroute on IOS-XR

Marvin Rhoads — Tue, 26 Jan 2021 07:31:50 GMT

When traceroute operates it uses icmp time-exceeded and icmp unreachable messages as the mechanism that reports the intermediate hops in the path to the ultimate host. We normally allow those messages inbound but if you deny them for the particular host you want to exclude it will have the effect of removing it from traceroute (the * denoting a hop not reporting its address will still show up).

Re: Blocking a specific IP in traceroute on IOS-XR

network_geek — Tue, 26 Jan 2021 08:58:53 GMT

Hi Marvin,

Thank you for your update. I made an ACL in which I am denying ICMP time-exceeded, traceroute and echo-reply but I am unable to block this IP in traceroute. Can you kindly help me in pointing out the exact point? The ACL on ingress interface is pasted below:

ipv4 access-list ICMP-BLOCK

1 deny icmp any 172.16.11.112 0.0.0.3 ttl lt 255
2 deny icmp any 172.16.11.112 0.0.0.3 time-exceeded
5 deny icmp any 172.16.11.112 0.0.0.3 fragments
6 deny icmp any 172.16.11.112 0.0.0.3 traceroute
7 deny tcp any 172.16.11.112 0.0.0.3 icmp-off
8 deny udp any 172.16.11.112 0.0.0.3 icmp-off
10 deny icmp any 172.16.11.112 0.0.0.3 echo
15 deny icmp any 172.16.11.112 0.0.0.3 echo-reply icmp-off
20 deny icmp any 172.16.11.112 0.0.0.3 echo-reply
25 deny udp any 172.16.11.112 0.0.0.3 range 33434 33534
26 deny tcp any 172.16.11.112 0.0.0.3 range 33434 33534
30 deny icmp any 172.16.11.112 0.0.0.3 time-exceeded
40 permit ipv4 any any

Re: Blocking a specific IP in traceroute on IOS-XR

Marvin Rhoads — Tue, 26 Jan 2021 11:50:30 GMT

Your ACL is denying from "any" to the subnet 172.16.11.112/30. If your intention is to mask the hosts in that subnet from appearing, then they must be the SOURCE address and the ACL must be applied between where that subnet lives and your client PCs.

Re: Blocking a specific IP in traceroute on IOS-XR

network_geek — Tue, 26 Jan 2021 15:00:32 GMT

The IP I intend to block is 172.16.11.114/32 and this ACL is applied where the same IP on an interface(/30) is configured. I am yet to yield any fruitful outcome on this.

Re: Blocking a specific IP in traceroute on IOS-XR

NetAdmin-WGELD — Mon, 14 Jul 2025 17:03:47 GMT

You will need to block 172.16.11.114 as the source and apply it as an egress ipv4 access-group on the interface in question.