The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Ask Question. Asked 6 years, 1 month ago. Active 2 years, 8 months ago. Viewed 10k times.
I read somewhere on a internet site that traceroute is the opposite of ping. Is this true? Improve this question. The challenge with traceroute is that different OS's and applications implement the traceroute function differently. With this behavior in mind, to block Windows traceroutes, create a security rule using the "ping" application. Code: Select all. This is in place to prevent routing loops from bringing your routers to a standstill.
The otehr use for this is to cleverly find the packet route by adjusting the TTL to 1 fo rthe first packet then 2 then 3 then so on. What you need to be blocking is the ICMP response type The tricky thing is that you have to block this packet in the Output chain, which means you have to go back to the [General] tab and select Output from the chain list. I tried it again, and with your config I am not able to block traceroute. This is the result I get with the following access list. R2 config access-list deny icmp any host 2.
R2 config access-list deny udp any any. R2 config access-list permit ip any any. R2 config-if ip access-group in. For windows tracert , it uses ICMP. I forgot to add the deny udp any any line in my previous snippet.
Sorry for that. Keep in mind when doing all of this filtering business that cisco Routers do not block packets that they originate by default. Also, you don't always want to disable ip unreachables on an interface because this prevents some other functions. The most granular solution is to block specific messages sent by the cisco router using Control Plane Policing and ACLs. This way you can select which ICMP messages the router will send in response.
I check this in packet tracer with the following result:. Reply from Before the ACL was applied everything was working, so that makes it clear that both are using ICMP and therefor you effectively break both troubleshooting tools when blocking ICMP, in a windows environment.
The answer is NO. So,blocking ICMP won't have an impact on traceroute. For windows operating system, the tracert uses ICMP by default. So, if we block ICMP in that case, we will end up blocking both ping and tracert.
While finding the correct explanation to your question, I came across this fantastic piece on traceroute. Please go through this in it's entirety though it's quite long,. You will benefit immensely. Not true. It depends on what interface you apply the ACL. Traceroute succeeds because of UDP transmission. If you block the ICMP messages that are in response to traceroute then the traceroute-ing host will time out. It's jus a matter of understanding what the router is doing whenever you are trying to block communication.
Also, depends on what the goal is. BTW this are all default settings as well. Applying ACL on a router, from where the traffic originates won't have any impact.
Franks's question was whether blocking ICMP would block traceroute as well. And that won't block traceroute. The response from R2 can't be filtered by this ACL as this is tagged in the inbound direction.
0コメント