sourabh1000_2 Sun, 09/20/2009 - 21:57
User Badges:

hi,


pls try below commands on incomming interface of router, hope this will work!


ip access-list extended TRACE

deny icmp any any traceroute

permit ip any any

suryakant.chavan Sun, 09/20/2009 - 22:29
User Badges:

Hi sourabh,


Thanks for your reply , but it's not working. If you have any other solution ,please share.

Richard Burts Mon, 09/21/2009 - 08:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

suryakant


While there is an ICMP message type for traceroute (ICMP message type 30) it is not what is commonly used in traceroute and so the suggestion from sourabh would not work well.


Whether you can implement a filter that will permit ping and not permit traceroute depends on what type of device is generating the traceroute. Since Unix and IOS generate traceroute sending UDP packets to high number ports you may be able to construct a filter to deny this traffic (being careful not to block UDP ports that you might actually need). But since Windows machines (using the tracert command) send ping packets, you would not be able to construct a filter that would deny traceroute and permit ping.


HTH


Rick

Actions

This Discussion