08-20-2009 05:25 AM - edited 03-04-2019 05:47 AM
I am running EBGP with 2 routers on the internet. These routers are running OSPF with Private P2P links neighbored up to my Core where I am extending the public address space to VRF. When I do any external traceroutes inbound from the internet, I am seeing the Private P2P IP addresses showing up in the traceroute. How do I prevent this from happening?
08-20-2009 05:45 AM
You can block the following icmp ports:
example:
deny icmp any any port-unreachables
deny icmp any any ech-reply
deny icmp any any time-exceeded
permit ip any any
This will stop the traceroute from showing you public IP. Let me know if this was what your looking for.
08-20-2009 06:01 AM
If I apply that to the public side of my external routers inbound ACL, that will block ICMP totally. I am looking to enable ICMP but just do not want the private P2Ps to show up in the echo-replies. This is the example below:
CAT3750#traceroute 97.65.22.176
Type escape sequence to abort.
Tracing the route to 97.65.22.176
1 192.168.1.1 0 msec 0 msec 0 msec
2 * * *
3 68.85.94.21 8 msec 16 msec 26 msec
4 te-9-1-ur01.palatka.fl.jacksvil.comcast.net (68.85.225.26) 16 msec 17 msec 17 msec
5 te-9-1-ur01.staugustine.fl.jacksvil.comcast.net (68.85.225.2) 17 msec 25 msec 17 msec
6 te-5-3-ar01.southsiderdc.fl.jacksvil.comcast.net (68.85.225.29) 25 msec 25 msec 17 msec
7 te-0-2-0-5-ar03.pompanobeach.fl.pompano.comcast.net (68.85.229.229) 25 msec 25 msec 25 msec
8 pos-0-7-0-0-ar03.northdade.fl.pompano.comcast.net (68.86.164.5) 25 msec 25 msec 25 msec
9 pos-0-3-0-0-cr01.miami.fl.ibone.comcast.net (68.86.91.221) 25 msec 25 msec 25 msec
10 pos-2-3-0-0-cr01.atlanta.ga.ibone.comcast.net (68.86.85.193) 42 msec 42 msec 42 msec
11 pos-1-14-0-0-cr01.dallas.tx.ibone.comcast.net (68.86.85.153) 59 msec 59 msec 75 msec
12 64.132.69.249 59 msec 68 msec 58 msec
13 199.227.21.78 76 msec 76 msec 67 msec
14 199.227.21.78 75 msec 76 msec 67 msec
15 *
10.2.254.6 67 msec 75 msec
16 * * *
17 * * *
18 * *
My internal P2P IP 10.2.254.6 is showing up on my external traceroute.
08-20-2009 06:19 AM
All you should need to do is disable ICMP port-unreachables and time-exceeded. This will prevent device to show in the traceroute.
deny icmp any any port-unreachables
deny icmp any any time-exceeded
permit ip any any - allow everything else
You actually shouldn't need to disable the echo-reply.
08-20-2009 06:39 AM
Im sorry I wasn't thinking inbound direction..Thats going to be a UDP port range..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: