As I make progress through the INE workbooks I’m writing posts about features that I find interesting and that might not be that known to the general public. I wasn’t aware that you could filter packets based on TTL in IOS. I’m not sure where this would be used in the real world but one use could be to filter BGP packets coming in from external peers and checking the TTL of the packets. BGP does this by itself, but one scenario could be someone trying to flood BGP packets towards a router and then it might be better to filter them in an ACL then to let the CPU handle the packets. One important note when doing TTL filtering, look at this picture.

On ingress the ACL is checked before the TTL is decremented. On egress the ACL is checked after the TTL has been decremented.

Lets take a look at the configuration.

Rack20R4(config)#ip access-list extended TTL
Rack20R4(config-ext-nacl)#deny ip any any ttl ?
  eq     Match only packets on a given TTL number
  gt     Match only packets with a greater TTL number
  lt     Match only packets with a lower TTL number
  neq    Match only packets not on a given TTL number
  range  Match only packets in the range of TTLs

So we have a few options here, we can match on an exact TTL or a range or a TTL less than or greater than a value. We have a lot of options. In this example we will filter packets with TTL less than 3.

Rack20R4(config-ext-nacl)#deny ip any any ttl lt 3
Rack20R4(config-ext-nacl)#permit ip any any

Packets with TTL less than 3 are denied and the rest are allowed. We need to apply the ACL to an interface, we are filtering packets outbound in this example.

Rack20R4(config-if-range)#int s0/0/0
Rack20R4(config-if)#ip access-group TTL out

This is how the ACL looks so far.

Rack20R4#show access-lists TTL
Extended IP access list TTL
    10 deny ip any any ttl lt 3
    20 permit ip any any

Let’s try a traceroute. The traceroute command can set a min and max TTL. If we set it to min 4 the packet will pass and we will see hop 4 and onward in the trace. If we set it to 1 the packet will be filtered.

Rack20R6#traceroute 183.20.123.2 ttl 1 10
Type escape sequence to abort.
Tracing the route to 183.20.123.2
  1 183.20.46.4 4 msec 0 msec 0 msec
  2 183.20.46.4 !A  *  !A
Rack20R6#traceroute 183.20.123.2 ttl 4 10
Type escape sequence to abort.
Tracing the route to 183.20.123.2
  4 183.20.107.7 32 msec 40 msec 32 msec
  5 183.20.17.1 28 msec 28 msec 28 msec
  6 183.20.123.2 72 msec *  72 msec

 

This is the log output.

Mar  3 02:11:45.003: %SEC-6-IPACCESSLOGP: list TTL denied udp 183.20.46.6(0) -> 183.20.123.2(0), 1 packet

And finally, we have matches in the ACL.

Rack20R4# show access-lists TTL
Extended IP access list TTL
    10 deny ip any any ttl lt 3 log (3 matches)
    20 permit ip any any (168 matches)

So this post has showed how we can filter packets based on TTL in IOS. Post feedback in comments if you like these posts.

Filtering packets by TTL in Cisco ACL
Tagged on:             

One thought on “Filtering packets by TTL in Cisco ACL

  • April 27, 2011 at 8:50 am
    Permalink

    Hi

    Can v do the same configuration in iOS XR image.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *