ICMP, Traceroute and CBAC
Lets say we got a router which is connecting to an insecure (Internet 
) network and we’d like to be able to do ICMP and Traceroute for troubleshooting but we dont want to create static ACLs. I for myself think it somehow feels a bit unsafe to allow everything the router needs for Ping and Traceroute and have it open all the time. Another option is to manually create the holes every time we need it or even remove the ACLs from the interface during that time but I dont really like one of those options. Additionally we dont want to allow the devices behind that router to be able to use Ping and Traceroute towards the Internet.
Based on those points CBAC could be a viable solution to have the router dynamically open the ports only when its needed and close them afterwards.
The sample network is simple:
R1 acts as a client in our internal network and R2 is the perimeter Router which is going to filter every traffic towards the internet, except locally generated ICMP and Traceroute packets. Just to keep it simple R2 will not permit anything else than Traceroute and ICMP but it shouldnt be a problem to change the configuration to allow other applications (HTTP or other stuff). Just keep in mind that for every session the router has to allocate 600 bytes and the more ACL entries the router has to work though the more CPU is needed so keep it as simple as possible 
About
Im a network engineer working for an international medical company based in Basel, Switzerland. I began my professional life in 2000 after 4 years of an IT apprenticeship. I started as the Network Management System responsible with quite a lot other of other tasks inside the Cisco networking field. In 2005 I changed to my current employer where I changed my field of knowledge from part NMS part Networking to full time Networking. I also started to educate myself deeper into networking. After passing the CCNA and CCNP exams I wanted to go further with my education and took the CCIE R&S track instead of doing a school with lots of stuff Im not interested in
I started the CCIE journey in August 2007 with the first of 5 workshops at the Cisco Network Academy in Rapperswil and passed the CCIE in Brussels at 07th of May 2008.
During that time I wrote a lot of documents to keep the stuff I learned and I thought it might be an idea to make it public so it might help other people on their path through the Cisco Certifications. I hope this site gets useful not only for CCIE candidates but also for other networking professionals on their search for knowledge.
If you have any questions or want to contact me, please drop me a line to pashtuk at gmail.com
