[62023] in North American Network Operators' Group
RE: 92 Byte ICMP Blocking Problem
daemon@ATHENA.MIT.EDU (Mark Segal)
Mon Sep 15 14:02:21 2003
From: Mark Segal <MSegal@Corporate.FCIBroadband.com>
To: "'johns@sstar.com'" <johns@sstar.com>,
"'jlewis@lewis.org'" <jlewis@lewis.org>
Cc: "'nanog@nanog.org'" <nanog@nanog.org>
Date: Mon, 15 Sep 2003 13:59:22 -0400
Errors-To: owner-nanog-outgoing@merit.edu
When I checked last week 1 in 4 packets was an ICMP message, so we rate
limited ICMP ECHO and ICMP ECHO-REPLY messages.. And it only bugged PING'ers
and windows traceroute users.. All those low memory alarms are now no
longer plaguing our NMS.
Mark
--
Mark Segal
Director, Network Planning
FCI Broadband
Tel: 905-284-4070
Fax: 416-987-4701
http://www.fcibroadband.com
Futureway Communications Inc. is now FCI Broadband
-----Original Message-----
From: John Souvestre [mailto:johns@sstar.com]
Sent: September 13, 2003 11:53 PM
To: jlewis@lewis.org
Cc: nanog@nanog.org
Subject: RE: 92 Byte ICMP Blocking Problem
Hi.
I've been running with the service policy version and haven't seen any
problem either. I did notice that it seems to block DOS traceroutes,
however.
John
John Souvestre - Southern Star - (504) 888-3348 - www.sstar.com
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
jlewis@lewis.org
Sent: Saturday, September 13, 2003 10:18 PM
To: William Devine, II
Cc: Nanog
Subject: Re: 92 Byte ICMP Blocking Problem
Importance: High
That's really weird. I've been running with
route-map nachiworm permit 10
match ip address nachilist
match length 92 92
set interface Null0
ip access-list extended nachilist
permit icmp any any echo
permit icmp any any echo-reply
ip policy route-map nachiworm
on transit interfaces and the virtual-templates of all our access servers
that can do it properly (just blocking echo/echo-reply on the older ones
that can't do the policy) and haven't heard about any customer complaints
other than "I can't ping" in the places where we've blocked all
echo/echo-reply. The routers doing this (7200/7500)'s are all running
12.2(1-3)S. Access servers are running mostly 12.1M or 12.2XB code.
