Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2531
Views
3
Helpful
3
Replies

Block traceroute through IOS XR

Go to solution
Hele Du
Level 1
Level 1

ā€Ž08-04-2014 06:50 AM

Hi everyone,

I am a system engineer from China.

I just want to ask some IOS XR questions as the following, hope someone can help me.

The customer use "traceroute" could know how many devices in our network.

I want to block  these traceroutes response from our devices.

In IOS I can use the following commands, when they try to traceroute  they can receive a * from our devices response.

ip access-list extended ICMP
permit icmp any any ttl-excessed
permit icmp any any host-unreachable
permit icmp any any port-unreachable

permit icmp any any unreachable
!
class-map match-all ICMP
match access-group name ICMP
!
!
policy-map ICMP
class ICMP
drop
!
control-plane
service-policy output ICMP

 

In IOS XR is there have some commands can accomplish same function?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xthuijs
Cisco Employee
Cisco Employee

ā€Ž08-04-2014 10:09 AM

Hi Duhele,

you can go multiple ways about this, few options:

you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.

Another option is to disable the icmp unreach generation on an interface

the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.

 

regards

xander

View solution in original post

0 Helpful
3 Replies 3

Go to solution
xthuijs
Cisco Employee
Cisco Employee

ā€Ž08-04-2014 10:09 AM

Hi Duhele,

you can go multiple ways about this, few options:

you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.

Another option is to disable the icmp unreach generation on an interface

the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.

 

regards

xander

0 Helpful

Go to solution
Hele Du
Level 1
Level 1
In response to xthuijs

ā€Ž08-04-2014 06:09 PM

Hi Zander,

Thank you your reply.

As far as I known, the traceroute is base on TTL-exceed and Port unreachable.

Are the LPTS and interface level unreach can control the Port unreachable, I did not these command any more.

 

About 3rd option, the ACL can not block traffic which are original by router it self in IOS.

Could IOS XR can block traffice which are original by router it self?

 

 

0 Helpful

Go to solution
Bryan Garland
Cisco Employee
Cisco Employee
In response to Hele Du

ā€Ž08-06-2014 06:05 AM

For more information on LPTS check out here:

https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

 

As for being able to block self originating packets, yes with regards to ICMP, you can.  As mentioned, there are some other protocols that are directly injected to the wire like BFD for example.  But ICMP can be matched/blocked via ACL.

Customers Also Viewed These Support Documents