First we do not know what type of device you have. so depending on what device you have you might have to rewrite this just a tad.
for a 3750 switch it would look something like this
access-list 111 deny icmp any any traceroute
for a firewall such as ASA or pix with v7.x i would think it would be something like this: access-list 111 extended deny icmp any any traceroute
and version 6.x would be
access-list 111 deny icmp any any eq traceroute
or something similar
and yes of course you would have to add it to wichever interface it should belong to.
ie. the access-group command
and if you use any, then you block any, if you want to block just the ones you have specified then you just write the addresses with subnetmasks instead of any, in a switch it can be somewhat confusing since it uses a wildcard mask instead of the "more natural and normal way". ie if the subnet is 255.255.255.0 then the wildcard would be 0.0.0.255 and so on.
In addition to considering what device the access list will be configured on I believe that we also need to consider what device(s) will be generating the traceroute because that determines what type of packet is used in the traceroute. If Windows end stations are doing tracert then the packets are pings (manipulating the TTL) but if the end stations are IOS or _nix then the traceroute packets are UDP with various higher port numbers (and manipulating the TTL).
It seems to me that the approach of deny icmp any any is overly broad and certainly breaks useful things like Path MTU Discovery. I believe that a more appropriate solution would be to deny the TTL exceeded message and the port unreachable message. Note that doing this would be configured as an outbound filter on the interface which is toward the devices doing the traceroute.
In reference to Narayan reply I believe that a blanket deny ICMP between the addresses is overly broad. It will certainly stop traceroute but will stop a lot of other things also.
As I stated in my response if you want to deny traceroute with minimal impact on other things then deny the specific ICMP messages for TTL exceeded and for port unreachable. If you want to deny ping then deny ICMP echo-request and ICMP echo-reply.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...