Solved: Re: Traceroute

navneet_78 · ‎06-11-2006

I do a trace from A to Z with some 10 hops in between. Now suppose, there is a subnet on A's LAN which needs to communicate with a server on Z's LAN.

Does each and every hop on the way to Z from A have a route of the Source LAN in their Routing table??

I have seen while tracing back to the source in some situations that there is no route for the source LAN in the devices in between the trace, but iam able to trace and ping to the source subnet.

When we troubleshoot a reachability issue, we need to check each hop for a route to the dest and back. Is there anything else we need to look for??

Awaiting your response.

Regards

Navneet

ankurbhasin · ‎06-12-2006

Hi Navneet,

It depends. It is not necessary that all the standard ACLs will be listed only in distribute list you can also use it to filter traffic using access group command.

Just configuring the ACLs will not result in anything you need to use those ACLs. Now it depends if you are using those ACL for distribute list or to filter traffic or for any other purpose. In your case may be the extended ACls are used to filter traffic and implemented on any interface using access group command.

What you can do is check the ACL number and see where that number is applied. I mean if it is applied with access group command on interface they are used for filtering traffic, if they are used in distribute list they are used for filtering routes, if they are used in NAT or may be they can be used in PBR or may be they can be used in dialer list so many many places ACLs can be used as it is just to classify the traffic and while implementing they can be used for different purposes.

HTH, if yes please rate the post.

Ankur

View solution in original post

ankurbhasin · ‎06-11-2006

Hi Navneet,

There should definetely be a route on every hop to the source in routing table.

It could be a possibility there there is no specific match for the source subnet but there can be a default route also or may be packets passing at some hop is getting natted and there is a route for natted ip address.

I mean not necessarily that there should be a specific route for that subnet but even if you have a default route or may be PBR configured it may also have a "SET" command pointing to some next hop.

HTH

Ankur

navneet_78 · ‎06-11-2006

Hi Ankur,

Thanx for the reply. Do i need to look for something else in every hop other than the routes?

Where do we have the ACLs defined generally for allowing access outside. Is it at the source Router or at the core Router which might be a few hops away?

Regards

Navneet

ankurbhasin · ‎06-11-2006

Hi Navneet,

Only thing which need to be checked on every hop is routes in routing table (default route,specific matching route), also you can check if any policy base routing is configured on the incoming interfaces or you can also check if any NAT is been configured on interfaces which may change the ip and then you can check the route for natted ip address.

NOW ACL can be defined anywhere depending upon the requirement and network design it can be appllied on access router also if you do not want the packet to travel even to the core or it can be on the core depending upon what is been blocked and for where it is blocked.

Regards,

Ankur

navneet_78 · ‎06-11-2006

Hi Ankur,

Thanx for guiding me on that. I have one last doubt with regards to the several ACLs that we define in our routers.

I have seen for example ACL 1 permitting LAN and loopback IP of a particular device.

access-list 1 permit x.x.138.64

access-list 1 permit x.x.0.106

And this is put as a Distribute list on Eigrp saying that eigrp updates will carry these Routes.

Now, my question is we have other ACLs defines like the below.

access-list 95 permit x.x.26.132

access-list 95 permit x.x.180.254

access-list 95 permit x.x.180.253

access-list 95 permit x.x.181.252

access-list 95 permit x.x.181.253

I know it's a dumb question, but how will they permit or Deny any networks. I do not see a dest subnet or IP to which these will be permitted?

Because in some ACLs, i see access from source to particular subnet or vice versa like the below ACL defined in my device.

access-list 161 permit ip host x.x.140.32 any

access-list 161 permit ip host x.x.224.32 any

access-list 161 permit ip host x.x.224.40 any

access-list 161 permit ip host x.x.224.48 any

Iam really confused as to how exactly each and every ACL functions? Some are part of the Eigrp Routing updates, but what about others?

Appreciate your esponse.

Regards

Navneet

ankurbhasin · ‎06-11-2006

Hi Navneet,

ACLs can be classified as Standard ACLs and Extended ACLs etc etc.

Now once you use standard ACL you get an option to permit or deny only source subnet and not the destination and the range of standard ACL is from 1-99 and that is the reason you see ACL with number 95 only permit source and there is no check for destination address.

Now if you check your second set of ACLs which are extended ACL they have the option to define source and destination ip as well as port numbers for better granularity and extended ACL range is from 100-199 and is the reason you see 161 as an extended ACL where source and destination both can be defined.

You can use ACL for many other purposes other then just for security of filtering the traffic. Actually ACLS are used to check or classify the traffic and then it can be used in distribute lists to filter the routs advertisements and can be used in policy base routing for matching the traffic and can be used with QOS etc etc.

HTH, if yes please rate the post.

Ankur

navneet_78 · ‎06-12-2006

Hi Ankur,

Thanx for the response. So u mean, all the standard ACLs will most probably be listed in the Distributed list for controlling the routing updates.

But what about the other Extended ACLs which are permitting other subnets. Isn;t Eigrp helping them to propagate the routes?

REgards

Navneet

ankurbhasin · ‎06-12-2006

Hi Navneet,

It depends. It is not necessary that all the standard ACLs will be listed only in distribute list you can also use it to filter traffic using access group command.

Just configuring the ACLs will not result in anything you need to use those ACLs. Now it depends if you are using those ACL for distribute list or to filter traffic or for any other purpose. In your case may be the extended ACls are used to filter traffic and implemented on any interface using access group command.

What you can do is check the ACL number and see where that number is applied. I mean if it is applied with access group command on interface they are used for filtering traffic, if they are used in distribute list they are used for filtering routes, if they are used in NAT or may be they can be used in PBR or may be they can be used in dialer list so many many places ACLs can be used as it is just to classify the traffic and while implementing they can be used for different purposes.

HTH, if yes please rate the post.

Ankur

navneet_78 · ‎06-12-2006

Hi Ankur,

Thanx for going through the pain of explaining me the whole process. Really helped clear my doubts.

Cheers

Navneet

mahmoodmkl · ‎06-11-2006

HI

The first two access-list in the above post are standard access-list which works on souce address.As u have in output permit statements there will be a implicit deny statement at the end of every access-list.

Defining them in distibute-list may be used to allow or deny updates from these networks depends upon scenario.

And the below access-list is the extended access-list which works on source and destination address.

Thanks

Mahmood

waqas.ashraf · ‎06-11-2006

It will actually depend on the scenario but standard accesss list are set as close to the source as possible.