Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

deny traceroute

Hi all,

What access-list I need to configure if deny traceroute from to


Re: deny traceroute

You would be required to deny ICMP

access-list 101 deny icmp

access-list 101 permit ip any any

apply the access-list inbound to the interface connecting to network

This will block ICMP which includes, ping as well as trace



Hall of Fame Super Blue

Re: deny traceroute


ip access-list extended dntrace

deny ip option traceroute

permit ip any any

int fa0/0

ip address

ip access-group dntrace in

Edit - actually scrap this as i have just tested from a W2K server and it doesn't work !!- apologies.



Re: deny traceroute


kindly check bellow access-list and apply as close to the source as possible.

access-list 100 permit icmp any echo

access-list 100 permit icmp any echo-reply

access-list 100 deny icmp time-exceeded

access-list 100 permit ip any any


Mohamed Sobair


Re: deny traceroute

First we do not know what type of device you have. so depending on what device you have you might have to rewrite this just a tad.

for a 3750 switch it would look something like this

access-list 111 deny icmp any any traceroute

for a firewall such as ASA or pix with v7.x i would think it would be something like this: access-list 111 extended deny icmp any any traceroute

and version 6.x would be

access-list 111 deny icmp any any eq traceroute

or something similar

and yes of course you would have to add it to wichever interface it should belong to.

ie. the access-group command

and if you use any, then you block any, if you want to block just the ones you have specified then you just write the addresses with subnetmasks instead of any, in a switch it can be somewhat confusing since it uses a wildcard mask instead of the "more natural and normal way". ie if the subnet is then the wildcard would be and so on.

good luck

Hall of Fame Super Gold

Re: deny traceroute

In addition to considering what device the access list will be configured on I believe that we also need to consider what device(s) will be generating the traceroute because that determines what type of packet is used in the traceroute. If Windows end stations are doing tracert then the packets are pings (manipulating the TTL) but if the end stations are IOS or _nix then the traceroute packets are UDP with various higher port numbers (and manipulating the TTL).

It seems to me that the approach of deny icmp any any is overly broad and certainly breaks useful things like Path MTU Discovery. I believe that a more appropriate solution would be to deny the TTL exceeded message and the port unreachable message. Note that doing this would be configured as an outbound filter on the interface which is toward the devices doing the traceroute.



Community Member

Re: deny traceroute

Refer to Narayan reply.

How about if I want to separate the purpose

(1) Only deny traceroute but able to ping

(2) Only deny ping but able to traceroute

Thx !

Hall of Fame Super Gold

Re: deny traceroute

In reference to Narayan reply I believe that a blanket deny ICMP between the addresses is overly broad. It will certainly stop traceroute but will stop a lot of other things also.

As I stated in my response if you want to deny traceroute with minimal impact on other things then deny the specific ICMP messages for TTL exceeded and for port unreachable. If you want to deny ping then deny ICMP echo-request and ICMP echo-reply.



CreatePlease to create content