Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block traceroute through IOS XR

Hi everyone,

I am a system engineer from China.

I just want to ask some IOS XR questions as the following, hope someone can help me.

The customer use "traceroute" could know how many devices in our network.

I want to block  these traceroutes response from our devices.

In IOS I can use the following commands, when they try to traceroute  they can receive a * from our devices response.

ip access-list extended ICMP
permit icmp any any ttl-excessed
permit icmp any any host-unreachable
permit icmp any any port-unreachable

permit icmp any any unreachable
!
class-map match-all ICMP
match access-group name ICMP
!
!
policy-map ICMP
class ICMP
drop
!
control-plane
service-policy output ICMP

 

In IOS XR is there have some commands can accomplish same function?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Duhele,you can go multiple

Hi Duhele,

you can go multiple ways about this, few options:

you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.

Another option is to disable the icmp unreach generation on an interface

the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.

 

regards

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
3 REPLIES
Cisco Employee

Hi Duhele,you can go multiple

Hi Duhele,

you can go multiple ways about this, few options:

you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.

Another option is to disable the icmp unreach generation on an interface

the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.

 

regards

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Hi Zander,Thank you your

Hi Zander,

Thank you your reply.

As far as I known, the traceroute is base on TTL-exceed and Port unreachable.

Are the LPTS and interface level unreach can control the Port unreachable, I did not these command any more.

 

About 3rd option, the ACL can not block traffic which are original by router it self in IOS.

Could IOS XR can block traffice which are original by router it self?

 

 

Cisco Employee

For more information on LPTS

For more information on LPTS check out here:

https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp

 

As for being able to block self originating packets, yes with regards to ICMP, you can.  As mentioned, there are some other protocols that are directly injected to the wire like BFD for example.  But ICMP can be matched/blocked via ACL.

502
Views
3
Helpful
3
Replies