Traceroute is a standard tool in the ip stack that has been around for many many years. As you probably already know, it is used to trace the route of an ip packet from one point to another.
The downside of this, is that a person with malicious intent can quickly discover the devices on your network along with their ip addresses.
A quick Google search shows people are always looking for ways to disable or block traceroute.
Most people end up writing an access list to block traceroute. This method stops the device from responding with its ip address, but does not mask the fact that there is a device in the path.
For a topology like below, in a traditional network, a traceroute taken from Worktation A, to Switch4, shows 3 hops in between.
I have taken the same topology and configured an Avaya SPB network.
Each of the devices is initially configured with a loopback address.
Here’s switch1’s routing table :
One thing you’ll probably immediately notice is that the next hops refer to other switch names, and some of them are not even directly connected.
A traceroute from switch1 to switch4 produces exactly one hop.
So that’s from one Avaya device to another, but what about from a PC or some other non-Avaya device?
I went ahead and created a different VLAN on each one of the switches in the topology. Here’s the routing table in switch1 now :
I connected my PC to a port in switch1, in VLAN 10. My default gateway is set to switch1’s VLAN 10 interface .
The following are 2 traceroutes to switch4’s addresses.
As you can see there are a total of 2 hops to my destination, my default gateway, and then the destination. In a traditional network, we probably get to see switch2 and switch3 in the path.
Traceroute is of course, not an evil tool. It can be useful for legitimate network path discovery. So how would you do that in an SPB network? You would use a layer 2 traceroute. There’s also a layer 2 ping available , here are some outputs:
Now you have seen how configuring Avaya Data Switches for SPB can obscure the topology of your network to intruders.
You probably want to know how this works, the short answer is IS-IS . The long answer? Get in touch and we are happy to arrange a Demo.