Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stopping an echo reply ???

Status
Not open for further replies.
salmans

salmans

IS-IT--Management
Aug 29, 2003
69
US
Is it possible to stop a Cisco router from sending an echo reply? I am running a Cisco 827 ADSL (small office) and have done some research but not found anything saying it is possible. I set up an ACL to on the dialer port to deny outgoing ICMP echo reply and a few other ICMP uses but this does not work. I guess comms created by the router are not effected by the ACL. Any help would be appreciated. Thanks.

Bob///
 
Sort by date Sort by votes
Just deny icmp from the internet to the routers external interface. If icmp gets dropped at the outside then the router won't send any reply.

Because of the sobig-F virus I finally got around to blocking icmp on my router last week, and look how many hits I've had in seven days ...

70 deny icmp any host <my_IP> log (11086 matches)

[sadeyes]

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Actually a better way is to route the ICMP packets to a NULL interface that you have created. You dont incure the load on the CPU of running the access list and there is not ANY reply of any kind sent back :)


This holds true for any unwanted traffic. For example, I have whole blocks of IP addresses routed to NULL which drives the hackers crazy since the packets just sort of &quot;disappear&quot;[flush]


MikeS

Find me at
&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu
 
Upvote 0 Downvote
So how do you route all ICMP traffic to null 0 then? I want to block certain types of traffic from all addresses so how do you route based on traffic type?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
It's a two part answer.

1: you set up an ACL to filter out what you want to route to null.

hostname Router_A
int e0
ip policy route-map FOO
route-map FOO permit 10
match ip address 100
set ip next-hop 10.1.1.2

access-list 100 permit tcp 172.16.10.0 0.0.0.255 host 192.168.10.1 eq 80
access-list 100 deny ip any any

ACL 100 permits tcp traffic from 172.16.10.x to access 192.168.10.1. and only on port 80. The ip policy route statement will match the ACL to the traffic and any matches will be sent the next hop FOR THIS TRAFFIC of 10.1.1.2. All other traffic (denied) will go out the default next hop for the general router traffic.

something like this:

access-list 107 deny icmp any any echo-reply


this denies any echo-reply packet ot type '0'. There is a list of icmp packet types to choose from
type '3' is destination unreachable
type '5' is redirect

and so on.
2: you set up the route map using calling the ACL you just made. You can have multiple ACLs called from the route map. See this link


for a good paper on &quot;Transit Access Control Lists&quot; which is what we are really dicussing, read this:

Remember that when you use route mapping, the ACL does not deny all and drop the packets, it drops the &quot;denied&quot; packets back into the flow leaving the default interface. So you will use the ACL to act as a gate to route certain packets to a certain interface. In this case, the interface will NULL.

I hope this makes sense but its very early here right now and I have yet to have my coffee ;)

MikeS


Find me at
&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu
 
Upvote 0 Downvote
&quot; So you will use the ACL to act as a gate to route certain packets to a certain interface. In this case, the interface will NULL.&quot;

So how do I route packets that match the route map to the null 0 interface? In the example given anything that matches the ACL gets routed to 10.1.1.2. I want to route that traffic to null 0, but that doesn't appear to be an option ..

dilbert(config-route-map)#set ip next-hop null ?
% Unrecognized command
dilbert(config-route-map)#set ip next-hop ?
A.B.C.D IP address of next hop
peer-address Use peer address (for BGP only)
verify-availability Verify if nexthop is a CDP neighbor

... or am I getting this completely wrong?

Chris.



**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Never mind, I figured it out.

set interface Null0

;-)

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
582
jarod_paris
jarod_paris
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
525
CPM86
CPM86
Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
288
Willi DB
Willi DB
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
446
Lccarter
Lccarter
mikey789
  • Locked
  • Question
Is There a Way to Calculate the Memorty Req'd for An IOS ?
Replies
1
Views
358
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top