92 Byte ICMP Blocking Problem
Mark Segal
MSegal at Corporate.FCIBroadband.com
Mon Sep 15 17:59:22 UTC 2003
When I checked last week 1 in 4 packets was an ICMP message, so we rate
limited ICMP ECHO and ICMP ECHO-REPLY messages.. And it only bugged PING'ers
and windows traceroute users.. All those low memory alarms are now no
longer plaguing our NMS.
Mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-----Original Message-----
From: John Souvestre [mailto:johns at sstar.com]
Sent: September 13, 2003 11:53 PM
To: jlewis at lewis.org
Cc: nanog at nanog.org
Subject: RE: 92 Byte ICMP Blocking Problem
Hi.
I've been running with the service policy version and haven't seen any
problem either. I did notice that it seems to block DOS traceroutes,
however.
John
John Souvestre - Southern Star - (504) 888-3348 - www.sstar.com
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
jlewis at lewis.org
Sent: Saturday, September 13, 2003 10:18 PM
To: William Devine, II
Cc: Nanog
Subject: Re: 92 Byte ICMP Blocking Problem
Importance: High
That's really weird. I've been running with
route-map nachiworm permit 10
match ip address nachilist
match length 92 92
set interface Null0
ip access-list extended nachilist
permit icmp any any echo
permit icmp any any echo-reply
ip policy route-map nachiworm
on transit interfaces and the virtual-templates of all our access servers
that can do it properly (just blocking echo/echo-reply on the older ones
that can't do the policy) and haven't heard about any customer complaints
other than "I can't ping" in the places where we've blocked all
echo/echo-reply. The routers doing this (7200/7500)'s are all running
12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code.
More information about the NANOG
mailing list