From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue Jun 21 2005 - 01:33:23 GMT-3
John,
You just need a PC and Ethereal (download free from
http://www.ethereal.com) to test this out.
Are we really helping if we just tell someone the answer? Part
of the CCIE preparation is learning how to solve problems. This is a
great one for somebody to solve. You would be amazed at the number of
networking engineers that can't tell you how traceroute works.
Lastly I'll bet that the socratic method is better for CCIE
preparation than the "spoon fed" method ;-)
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: John Matus [mailto:jmatus@pacbell.net]
Sent: Monday, June 20, 2005 8:56 PM
To: Brian Dennis; ccie2be; Group Study
Subject: Re: icmp - time-exceeded vs ttl-exceeded
being a philosphy major in college <wonders that did for my
marketability>,
i really despize socratic method/dialogue!!! :-p
it would be great if we all had labs to just "test stuff out on" hehehe
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Monday, June 20, 2005 3:37 PM
Subject: RE: icmp - time-exceeded vs ttl-exceeded
> Tim,
> Did you think about trying the options out?
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Monday, June 20, 2005 3:25 PM
> To: Brian Dennis; 'Group Study'
> Subject: RE: icmp - time-exceeded vs ttl-exceeded
>
> Hi Brian,
>
> As you suggested I did look through the archives and found some
> interesting
> things that refreshed my memory about reflexive acl's and Traceroute
in
> general.
>
> But, none of the posts I could find talked about the difference
between
> time-exceeded vs ttl-exceeded.
>
> I accept the fact that I need to permit time-exceeded to fulfill the
> tasks
> in IE lab 2 and 3, but I'm still curious as to the difference between
> these
> 2 icmp options.
>
> My hope is that if I really knew the difference, it would be easier to
> remember which one to use under the pressure of the lab.
>
> Thanks, Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian Dennis
> Sent: Monday, June 20, 2005 5:31 PM
> To: ccie2be; Group Study
> Subject: RE: icmp - time-exceede vs ttl-exceeded
>
> Tim,
> You should search the archive as there was a long discussion on
> this topic about a year ago. Also as far as using the traceroute
option
> for the ICMP type, if you understand how traceroute works you'll know
> why you don't use it.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Monday, June 20, 2005 2:02 PM
> To: Group Study
> Subject: icmp - time-exceede vs ttl-exceeded
>
> Hi guys,
>
> Let's assume I want to configure a reflexive acl which allows
Traceroute
> packets back in.
>
> I'm trying to make sure I select the correct icmp type packet to allow
> back-in. But, when I do the following I see lots of options.
>
> R5(config)#access-list 101 perm icmp any any ?
> <0-255> ICMP message type
> administratively-prohibited Administratively prohibited
> alternate-address Alternate address
> conversion-error Datagram conversion
> dod-host-prohibited Host prohibited
> dod-net-prohibited Net prohibited
> dscp Match packets with given dscp value
> echo Echo (ping)
> echo-reply Echo reply
> fragments Check non-initial fragments
> general-parameter-problem Parameter problem
> host-isolated Host isolated
> host-precedence-unreachable Host unreachable for precedence
> host-redirect Host redirect
> host-tos-redirect Host redirect for TOS
> host-tos-unreachable Host unreachable for TOS
> host-unknown Host unknown
> host-unreachable Host unreachable
> information-reply Information replies
> information-request Information requests
> log Log matches against this entry
> log-input Log matches against this entry,
including
> input
> interface
> mask-reply Mask replies
> mask-request Mask requests
> mobile-redirect Mobile host redirect
> net-redirect Network redirect
> net-tos-redirect Net redirect for TOS
> net-tos-unreachable Network unreachable for TOS
> net-unreachable Net unreachable
> network-unknown Network unknown
> no-room-for-option Parameter required but no room
> option-missing Parameter required but not present
> packet-too-big Fragmentation needed and DF set
> parameter-problem All parameter problems
> port-unreachable Port unreachable
> precedence Match packets with given precedence
value
> precedence-unreachable Precedence cutoff
> protocol-unreachable Protocol unreachable
> reassembly-timeout Reassembly timeout
> redirect All redirects
> router-advertisement Router discovery advertisements
> router-solicitation Router discovery solicitations
> source-quench Source quenches
> source-route-failed Source route failed
>
>
> time-exceeded All time exceededs <-----
> **************
>
>
> time-range Specify a time-range
> timestamp-reply Timestamp replies
> timestamp-request Timestamp requests
> tos Match packets with given TOS value
>
>
> traceroute Traceroute
> <-----------#############
>
>
> ttl-exceeded TTL exceeded
> <-------------*****************
>
>
>
> unreachable All unreachables
> <cr>
>
>
> Notice how similar the 2 "starred" options look. What's the
difference
> between these 2 options?
>
> Also, if I need to allow Traceroute back-in, why wouldn't I use the
> traceroute option?
>
> TIA, Tim
>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3