Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
5
Helpful
5
Replies

Blocking a specific IP in traceroute on IOS-XR

network_geek
Level 1
Level 1

‎01-25-2021 09:24 PM

Hi All,

 

I am faced with a very strange problem. My internal network contains IPs from 172.16.X.X subnet. I want to block a certain IP from appearing in traceroute(this IP belongs to an uplink hosted in my own AS) and I can easily do things anyone suggests. Any leads to achieve this task will be highly appreciated.

0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎01-25-2021 10:53 PM

Hi,

If it's an MPLS cloud, disable TTL propagation as below.

https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/26585-mpls-traceroute.html#no_mpls

If its not an MPLS, you can use a combination of NAT, Loopback and local
policy route-maps to use dummy IPs on your loopbacks to appear in
traceroute instead of your LAN IPs.

Finally, I suggest posting this in routing forum to get more detailed
answers.

***** please remember to rate useful posts
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-25-2021 11:31 PM

When traceroute operates it uses icmp time-exceeded and icmp unreachable messages as the mechanism that reports the intermediate hops in the path to the ultimate host. We normally allow those messages inbound but if you deny them for the particular host you want to exclude it will have the effect of removing it from traceroute (the * denoting a hop not reporting its address will still show up).

network_geek
Level 1
Level 1
In response to Marvin Rhoads

‎01-26-2021 12:58 AM

Hi Marvin,

 

Thank you for your update. I made an ACL in which I am denying ICMP time-exceeded, traceroute and echo-reply but I am unable to block this IP in traceroute. Can you kindly help me in pointing out the exact point? The ACL on ingress interface is pasted below:

 

ipv4 access-list ICMP-BLOCK

1 deny icmp any 172.16.11.112 0.0.0.3 ttl lt 255
2 deny icmp any 172.16.11.112 0.0.0.3 time-exceeded
5 deny icmp any 172.16.11.112 0.0.0.3 fragments
6 deny icmp any 172.16.11.112 0.0.0.3 traceroute
7 deny tcp any 172.16.11.112 0.0.0.3 icmp-off
8 deny udp any 172.16.11.112 0.0.0.3 icmp-off
10 deny icmp any 172.16.11.112 0.0.0.3 echo
15 deny icmp any 172.16.11.112 0.0.0.3 echo-reply icmp-off
20 deny icmp any 172.16.11.112 0.0.0.3 echo-reply
25 deny udp any 172.16.11.112 0.0.0.3 range 33434 33534
26 deny tcp any 172.16.11.112 0.0.0.3 range 33434 33534
30 deny icmp any 172.16.11.112 0.0.0.3 time-exceeded
40 permit ipv4 any any

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-26-2021 03:50 AM

Your ACL is denying from "any" to the subnet 172.16.11.112/30. If your intention is to mask the hosts in that subnet from appearing, then they must be the SOURCE address and the ACL must be applied between where that subnet lives and your client PCs.

0 Helpful

network_geek
Level 1
Level 1
In response to Marvin Rhoads

‎01-26-2021 07:00 AM

The IP I intend to block is 172.16.11.114/32 and this ACL is applied where the same IP on an interface(/30) is configured. I am yet to yield any fruitful outcome on this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card