Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking treacerout

        hello all,

I have a Cisco 2921 router what policy if helphulf in blocking (tracertout) from the Internet.

BTW; I user the router for accessing to internet & L3 VPN.

regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Blocking treacerout

Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.

You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.

HTH

Rick

3 REPLIES
New Member

Re: Blocking treacerout

Usually, and ACL is applied at the egress interface in the inbound direction to block all traffic coming from outside but returning traffic, this should block all icmp traffic as well
Do you have any acl on the egress interface?

Sent from Cisco Technical Support iPhone App

Blocking treacerout

Hi,

I have been applied ACL on egress and ingress interfaces, currently the only allowed traffics are (VPN, Internet_partial, ICMP & tracerout). and the reset is blocked.

but I want to keep ICMP working and only to block the tracerout.

regards,

Hall of Fame Super Silver

Blocking treacerout

Blocking traceroute can be complex and attempts to block traceroute could have negative impact on your network. So I advise you to proceed carefully if you decide that you really want to do this.

You should understand that there are at least two mechanisms that implement traceroute. So you would need to address both of them if you want to block incoming traceroute. One mechanism for traceroute is used by Cisco and many other vendors and is derived from the unix implementation which sends UDP packets using various port numbers (usually middle to high in the UDP port range). To block this implementation of traceroute your inbound access list would need to deny UDP on a broad range of ports. the obvious danger here is the possibility that some application could be using those port numbers and you could wind up denying traffic that is actually valid UDP packets and impacting that application. The other implementation of traceroute is the implementation used by Windows (and specified as tracert). This uses ICMP packets. So to block this implementation of traceroute your inbound access list would need to block all inbound ICMP echo request. Whether that has negative impact to your network is something that you would need to evaluate.

HTH

Rick

211
Views
5
Helpful
3
Replies
CreatePlease to create content