09-28-2013 12:31 PM - edited 03-04-2019 09:10 PM
hello all,
I have a Cisco 2921 router what policy if helphulf in blocking (tracertout) from the Internet.
BTW; I user the router for accessing to internet & L3 VPN.
regards,
Solved! Go to Solution.
09-29-2013 02:04 PM
Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.
You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.
HTH
Rick
09-28-2013 11:20 PM
Usually, and ACL is applied at the egress interface in the inbound direction to block all traffic coming from outside but returning traffic, this should block all icmp traffic as well
Do you have any acl on the egress interface?
Sent from Cisco Technical Support iPhone App
09-29-2013 02:56 AM
Hi,
I have been applied ACL on egress and ingress interfaces, currently the only allowed traffics are (VPN, Internet_partial, ICMP & tracerout). and the reset is blocked.
but I want to keep ICMP working and only to block the tracerout.
regards,
09-29-2013 02:04 PM
Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.
You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide