traceroute question

Unanswered Question

Guys,

Please take a look this question in CCIE written, what answer do you think is correct?

From what I understood before, A seemed to be the correct one; because source only sends UDP and destination only response with ICMP reply But after I did a lab test, it seems none of these are correct.

My answer is to add “permit udp and permit icmp echo” in IN ACL

Correct me if I am wrong.

Thanks,

Han,

You are the network administrator at ABC. You are troubleshooting a network problem. You want to trace the route to a Unix workstation that you want to reach through the Internet. However, Traceroute does not work.

Currently, there is an inbound access-list applied to the serial interface on Router 1. An entry in the access-list states "access-list 101 permit tcp any any". What access-list entry may you need to be added to the access-list in order to get traceroute to work?

A. access-list 101 permit udp any any

B. access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any port-unreachable

C. access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any net-unreachable

D. access-list 101 permit icmp any any echo access-list 101 permit icmp any any net-unreachable

E. access-list 101 permit udp any any access-list 101 permit icmp any any protocol-unreachable

=============

Lab settings and results.

topology:

R3620--r1--pc

The basic running conf of R3620 is follwoing:

interface Loopback0

ip address 100.100.100.100 255.255.255.0

interface Serial1/2

ip address 3.3.3.1 255.255.255.0

ip access-group 101 in

access-list 101

10 permit tcp any any

20 permit udp any any (591 matches)

30 permit icmp any any=================question is from here.

then the result from PC without line 30 present--int on r3620 unreachalbe.

C:\>tracert 100.100.100.100

Tracing route to 100.100.100.100 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms 192.168.1.11

2 3.3.3.1 reports: Destination net unreachable.

Trace complete.

the result from pc when line 30 present--works fine.

C:\>

C:\>

C:\>tracert 100.100.100.100

Tracing route to 100.100.100.100 over a maximum of 30 hops

1 <10 ms <10 ms <10 ms 192.168.1.11

2 30 ms 30 ms 30 ms 100.100.100.100

Trace complete.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steve_steele Fri, 01/11/2008 - 01:01

Trace sends out a udp packet to the destination device with a destination port of 33434 (by default) initially with a TTL of 1 which increments as the trace continues.

In response each router on route will send back an ICMP time-exceeded message.

When the destination is eventually reached the device will not be listening on the udp port so will respond with an ICMP port-unreachable.

the udp needs to be permitted outbound, but inbound ICMP port unreachable and time exceeded need to be allowed through.

I'm prettty sure I'm right but there are a lot cleverer people on here than me that may prove me wrong.

Hope this helps

Steve

Actions

This Discussion