Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1358
Views
1
Helpful
8
Replies

how to modify TTL to less values at routers?

Maivakov
Level 1
Level 1

‎03-28-2024 05:48 AM

Assume that there are three router type devices outside firewall, and one core switch router behind one layer firewall

and I would like to hide the router hop of core switch router from traceroute 

how to modify TTL to less values at router at the most out side router such as ASR router?

A. I find ACL can deny TTL less than 1 to hide hop from trace route, does it mean in this case , deny TTL less than 1 can hide the IP address of core switch router when trace route from internet? 

B. in this case, does this ACL deny TTL less than 1 apply at the third router just connected at outside port of firewall?

C. if there are two layers routers behind firewall , does this command be  ACL deny TTL less than 2?

D. if internet trace route using highest TTL value , how can this ACL deny work? does it mean that need to modify TTL to less value at outer most router? is this TTL value be 4 or 5 ? which command can do this?

E. if expect to hide hop of trace route from inside , how to do ?

F. I find need to deny ICMP exceed message and timeout message too, is there are consolidated procedures to hide the router hop from traceroute 

Labels:
0 Helpful
8 Replies 8

Gopinath_Pigili
VIP
VIP

‎03-28-2024 06:13 AM

Hello 

no... you cannot change TTL on routers.

Reference: https://community.cisco.com/t5/switching/ttl-value-on-outgoing-int/td-p/2195832

Best regards
******* If This Helps, Please Rate *******

 

0 Helpful

MHM Cisco World
VIP
VIP

‎03-28-2024 06:49 AM

Make router not send icmp ttl exceed' 

This make router hidden from traceroute.

MHM

0 Helpful

Maivakov
Level 1
Level 1
In response to MHM Cisco World

‎03-28-2024 06:45 PM

Why not just deny all ICMP to enter the network at the outer most routers and at core switch routers and block ICMP at firewall?

Why just deny icmp ttl exceed?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Maivakov

‎03-28-2024 10:56 PM

If you want to check reachability then deny all icmp not help here.

Deny only icmp ttl exceeded because it use by traceroute as reply of any hops between spurce and destiantion.

Note:-cisco recommends deny any icmp not use by router.

MHM

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-29-2024 03:32 AM

You want to actually hide a L3 hop?

That's often a side effect of using some kind of overlay, i.e. underlay L3 hops are not seen.

I recall (???) with MPLS, there was some configuration where you could select whether a MPLS device would be seen in a trace route or not.  Might only apply to p-routers.

0 Helpful

paul driver
VIP
VIP

‎03-30-2024 05:48 PM

Hello
Yes you can accomplish this using CoPP,  you should only need to know the initial ttl hop count to the router you wish to hide (Usually ttl=1

Please note:
Dynamic routing processes utilise icmp ttl so you will need to exclude these from the Copp so not to disrupt any routing adjacency's/peering/advertisements  etc.. 

Example CoPP on Hidden rtr:
ip access-list extended TTL_ACL
deny eigrp|ospf|bgp any any
permit ip any host <hidden rtr ip 1> ttl range 1 255
permit ip any host <hidden rtr ip 2> ttl range 1 255
etc...
permit ip any any ttl eq 1

class-map match-all TTL_CM
match access-group name TTL_ACL

policy-map TTL_PM
class TTL_CM
drop

control-plane
service-policy input TTL_PM


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Maivakov
Level 1
Level 1

‎04-01-2024 01:39 AM

I think no need to see reachability if have well documented network diagram with IP address,

it can use ansible or other automation to unblock icmp to show reachability in maintenance period or troubleshooting.

and then change IP address with reserved IP address with automation

most of time invaders can not see IP address of all hops. or even just not show reachability at all.

I am thinking without trace route, can invaders access or know what they want when can not see the path?

0 Helpful

paul driver
VIP
VIP
In response to Maivakov

‎04-01-2024 02:17 PM

Hello
Use Copp then in acordance to the example I posted that should "hide" the rtr from a traceroute


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card