Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
5
Helpful
3
Replies

Blocking treacerout

Go to solution
Hardi Ahmed
Level 7
Level 7

‎09-28-2013 12:31 PM - edited ‎03-04-2019 09:10 PM

        hello all,

I have a Cisco 2921 router what policy if helphulf in blocking (tracertout) from the Internet.

BTW; I user the router for accessing to internet & L3 VPN.

regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hardi Ahmed

‎09-29-2013 02:04 PM

Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.

You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
amabdelh
Level 1
Level 1

‎09-28-2013 11:20 PM

Usually, and ACL is applied at the egress interface in the inbound direction to block all traffic coming from outside but returning traffic, this should block all icmp traffic as well
Do you have any acl on the egress interface?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Hardi Ahmed
Level 7
Level 7
In response to amabdelh

‎09-29-2013 02:56 AM

Hi,

I have been applied ACL on egress and ingress interfaces, currently the only allowed traffics are (VPN, Internet_partial, ICMP & tracerout). and the reset is blocked.

but I want to keep ICMP working and only to block the tracerout.

regards,

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hardi Ahmed

‎09-29-2013 02:04 PM

Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.

You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card