RES: [c-nsp] Hiding a Cisco Router from a Traceroute
Murilo Antonio Pugliese
mpugliese at diveo.net.br
Thu Oct 20 14:19:57 EDT 2005
Before trying to deploy MPLS in your hole backbone just to make use of
the "no tag-switching ip propagate-ttl forwarded" command try the
ip unreachables To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages,
use the ip unreachables command in interface configuration mode. To disable this function,
use the no form of this command.
ip unreachables
no ip unreachables
Syntax Description This command has no arguments or keywords.
Defaults Enabled
Usage Guidelines If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol
it does not recognize, it sends an ICMP unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of
no route to the destination address, it replies to the originator of that datagram with an ICMP host
unreachable message. This command affects all types of ICMP unreachable messages.
----------------------------------------------------------------------------------------------------------------------------------------------------------------
The Traceroute Command
http://www.cisco.com/warp/public/63/ping_traceroute.html#traceroute
The traceroute command is used to discover the routes that packets actually take when traveling to their destination.
The device (for example, a router or a PC) sends out a sequence of User Datagram Protocol (UDP) datagrams to an
invalid port address at the remote host.
Three datagrams are sent, each with a Time-To-Live (TTL) field value set to one. The TTL value of 1 causes the datagram
to "timeout" as soon as it hits the first router in the path; this router then responds with an ICMP Time Exceeded Message (TEM)
indicating that the datagram has expired.
Another three UDP messages are now sent, each with the TTL value set to 2, which causes the second router to return ICMP TEMs.
This process continues until the packets actually reach the other destination.
"Since these datagrams are trying to access an invalid port at the destination host, ICMP Port Unreachable Messages are returned,
indicating an unreachable port; this event signals the Traceroute program that it is finished.
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Best regards.
Murilo Pugliese.
-----Mensagem original-----
De: Saku Ytti [mailto:saku+cisco-nsp at ytti.fi]
Enviada em: quinta-feira, 20 de outubro de 2005 15:10
Para: cisco-nsp at puck.nether.net
Assunto: Re: [c-nsp] Hiding a Cisco Router from a Traceroute
On (2005-10-20 18:47 +0200), Gordon Bezzina wrote:
> I do not know if this is possible with an ACL, but I would like to hide my
> network topology from the internet.
With ACL people doing traceroute will notice that there is node there,
but they will not know it's IP.
With MPLS you can hide all your core routers (routers that only
have your routers as adjacent routers).
> Eg. trace to c.c.c.c
>
> 1 a.a.a.a
> 2 b.b.b.b
> 3 c.c.c.c
>
> Assume that c.c.c.c is final client whilst b.b.b.b is my border router and
> a.a.a.a and before is from the Internet. Now I want to set up an ACL that
> hides from b onwards. Excuse my ignorance, but I cannot find a clean way to
> do it. Obviously, I still want my client to be able to perform pings and
> tracroutes to the external world.
>
> Thanks/Regards
> Gordon Bezzina
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list