From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Sun Mar 01 2009 - 19:57:50 ARST
So,
What is "access-list 100 permit icmp any any traceroute" ? what is traceroute
option allowing there. I would be nice to know just in case it arrives in the
lab,
Regards
----- Original Message -----
From: NET HE
To: ccie.mahmoud@gmail.com ; ezorrilla@tsf.com.pe
Cc: ccielab@groupstudy.com
Sent: Sunday, March 01, 2009 4:27 PM
Subject: RE: Traceroute and RACL
I used etherreal to decode the tracert of microsoft implementation, it
doesn't use icmp traceroute option. The mechanism of it is still using
time-exceeded response, then TTL+1.
The new added traceroute option of icmp is used as, when a router receives
an icmp echo-request with traceroute option, the router is supposed to send a
response back to the icmp originator.
There are 3 following method to implement TRACEROUTE functionality based on
time-exceeded and ttl+1. The difference is just the response of the last
stop.
1)ICMP
The response of last stop is echo-reply
2)udp
The response of last stop is port-unreachable
3)tcp
The response of last stop is port-unreachable
Best Regards,
Net (Xin) He
> Date: Sun, 1 Mar 2009 07:11:32 +1100
> Subject: Re: Traceroute and RACL
> From: ccie.mahmoud@gmail.com
> To: ezorrilla@tsf.com.pe
> CC: ccielab@groupstudy.com
>
> I found out that MICROSOFT implementation for the TRACEROUTE uses ICMP to
> send the traffic. So I guess in such cases this command will be effective
to
> allow the traceroute inside outbound [ "access-list 100 permit icmp any
any
> traceroute"]
>
> Mahmoud.
>
> On Sat, Feb 28, 2009 at 10:08 PM, Edouard Zorrilla
<ezorrilla@tsf.com.pe>wrote:
>
> > Right,
> >
> > Cisco routers work with UDP and returns ICMP port-unreacheable and
> > time-exceeded. So first UDP and the return packet is ICMP. Regarfing
the
> > RACL, just make sure you allow come back ICMP port-unreacheable and
> > time-exceeded inside inbound ACL and of course allow UDP inside
outbound
> > ACL.
> >
> > Rack1R6#sh run int Virtual-Access1
> > Building configuration...
> >
> > Current configuration : 126 bytes
> > !
> > interface Virtual-Access1
> > ip address 54.1.7.6 255.255.255.0
> > ip access-group inbound in
> > ip access-group outbound out
> > end
> >
> > Rack1R6#
> >
> > Rack1R6#sh ip access-lists inbound
> > Extended IP access list inbound
> > 10 permit tcp any any eq bgp (46481 matches)
> > 20 permit tcp any eq bgp any
> > 21 permit icmp any any port-unreachable (19 matches)
> > 22 permit icmp any any time-exceeded
> > 30 evaluate ME
> > 40 permit icmp any any echo-reply
> > 50 deny ip any any log (229160 matches)
> > Rack1R6#
> > Rack1R6#sh ip access-lists outbound
> > Extended IP access list outbound
> > 10 permit tcp any any reflect ME
> > 20 permit udp any any reflect ME (273 matches)
> > 30 permit icmp any any
> > 40 deny ip any any log
> > Rack1R6#
> >
> > Rack1R6#sh ip cef exact-route 183.1.123.2 54.1.7.254
> > 183.1.123.2 -> 54.1.7.254 : Virtual-Access1 (attached)
> > Rack1R6#
> >
> > So let's go to Rack1R2 (183.1.123.2):
> >
> > Rack1R2#traceroute 54.1.7.254
> >
> > Type escape sequence to abort.
> > Tracing the route to 54.1.7.254
> >
> > 1 183.1.123.3 20 msec 8 msec 0 msec
> > 2 183.1.0.5 4 msec 4 msec 0 msec
> > 3 183.1.0.4 4 msec 4 msec 4 msec
> > 4 183.1.46.6 4 msec 4 msec 4 msec
> > 5
> > *Feb 28 11:51:46.523: ICMP: time exceeded rcvd from 183.1.123.3
> > *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
> > *Feb 28 11:51:46.531: ICMP: time exceeded rcvd from 183.1.123.3
> > *Feb 28 11:51:46.535: ICMP: time exceeded rcvd from 183.1.0.5
> > *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
> > *Feb 28 11:51:46.539: ICMP: time exceeded rcvd from 183.1.0.5
> > *Feb 28 11:51:46.543: ICMP: time exceeded rcvd from 183.1.0.4
> > *Feb 28 11:51:46.547: ICMP: time exceeded rcvd from 183.1.0.4
> > *Feb 28 11:51:46.551: ICMP: time exceeded rcvd from 183.1.0.4
> > *Feb 28 11:51:46.555: ICMP: time exceeded rcvd from 183.1.46.6
> > *Feb 28 11:51:46.559: ICMP: time exceeded rcvd from 183.1.46.6
> > *Feb 28 11:51:46.563: ICMP: time exceeded rcvd from 183.1.46.6 * * *
> > 6 * * *
> > 7 54.1.7.254 4 msec
> > *Feb 28 11:52:04.567: ICMP: dst (183.1.123.2) port unreachable rcv from
> > 54.1.7.254 * 4 msec
> > Rack1R2#
> >
> > Rack1R6#sh ip access-lists ME
> > Reflexive IP access list ME
> > permit udp host 54.1.7.254 eq 33448 host 183.1.123.2 eq 41606 (1 match)
> > (time left 296)
> > permit udp host 54.1.7.254 eq 33447 host 183.1.123.2 eq 33667 (1 match)
> > (time left 296)
> > permit udp host 54.1.7.254 eq 33446 host 183.1.123.2 eq 33777 (1 match)
> > (time left 293)
> > Rack1R6#
> >
> > Now, regarding the "access-list 100 permit icmp any any traceroute", I
> > wonder the same before but after make some digging I realize that this
is
> > just a kind of historical command, defined in RFC 1393. No more than
this,
> > haven't see any application in the real life.
> >
> > Do any one ?
> >
> > Regards
> >
> >
> > ----- Original Message ----- From: "mahmoud genidy" <
> > ccie.mahmoud@gmail.com>
> > To: "Cisco certification" <ccielab@groupstudy.com>
> > Sent: Friday, February 27, 2009 7:11 PM
> > Subject: Traceroute and RACL
> >
> >
> > Hi GS,
> >>
> >> Regarding the TRACEROUTE traffic and how it is related to Reflexive
ACL.
> >>
> >> According to Cisco implementation the TRACEROUTE traffic goes out as
UDP
> >> and
> >> return as ICMP (Port unreachable and Time-Exceeded). Am I correct?!
> >>
> >> BUT I found this command in the DOC CD:
> >>
> >> { Router(config)# *access-list 100 permit icmp any any traceroute* }
> >>
> >> Then I found that TRACEROUTE is ICMP type 30. Now I'm confused how to
> >> match
> >> it in the OUT and IN direction if I will use RACL!
> >>
> >> Any hints?
> >>
> >> Thanks
> >> Mahmoud.
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >>
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:03 ART