Re: traceroute problem

From: Arifur Rahman (arahman@cisco.com)
Date: Mon Sep 29 2003 - 15:33:45 GMT-3

• Next message: Ken.Farrington@barclayscapital.com: "RE: BGP BOLD Statements"
• Previous message: Boyan Krosnov: "RE: Ethertype 3663"
• Maybe in reply to: Ralph Simmons: "traceroute problem"
• Next in thread: Ralph Simmons: "Re: traceroute problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
Here is my test result

r7-----(access-g 101 in)-----r8

r8#sh access-lists
Extended IP access list 101
     permit icmp any any traceroute
     permit icmp any any unreachable (18 matches)
     permit icmp any any echo-reply
     permit icmp any any administratively-prohibited
     permit icmp any any echo
     permit icmp any any time-exceeded (9 matches)
     permit udp any any (3 matches)
r8#

I observed following match in access-list

1. trace from r8 to r7 at valid address: permit icmp any any unreachable
2. trace from r8 to r7 at not existing address: permit icmp any any
time-exceeded
3. trace from r7 to r8 at valid address: permit udp any any
3. trace from r7 to r8 at not existing address: permit udp any any

So looks like your list is not complete and have some redundence. Can you
please send me the pointer of cisco.com

thanks - Arif

At 08:53 AM 9/29/2003 -0700, Ralph Simmons wrote:
>Hey guys,
>I am doing a lab where i am supposed to allow traceroute in allong with
>some other protocols. The traceroute part is screwing me up i
>think. How many lines do i need to configure this inbound. Here is
>what i am able to find off cisco.com but it seems like way to many
>lines. Do i really need this many just to permit traceroute back in?
>
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127
>administratively-prohibited
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 echo-reply
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 packet-too-big
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 time-exceeded
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 traceroute
>access-list 102 permit icmp any 192.168.27.128 0.0.0.127 unreachable
>access-list 102 deny ip any any
>
>
>
>---------------------------------
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>
>***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Ken.Farrington@barclayscapital.com: "RE: BGP BOLD Statements"
• Previous message: Boyan Krosnov: "RE: Ethertype 3663"
• Maybe in reply to: Ralph Simmons: "traceroute problem"
• Next in thread: Ralph Simmons: "Re: traceroute problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:39 GMT-3