Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
0
Replies

ACL Drop denied traffic rather than reply with icmp unreachable 3 Code 13

pfj
Level 1
Level 1

‎10-26-2020 03:15 AM

Hi there,

 

Platform: ASR1K/CSRv

 

Anyone know if you can DROP traffic that is denied on an inbound ACL.  Traffic that targeting legitimate hosts(so no pointing to Null 0).

I don't want to use the big hammer that is no ip unreachables. So that traceroute/PMTUD still work.

 

And denying icmp administratively-prohibited on the outbound ACL is not going to scale.  And seems like extra/unnecessary work.

 

In RFC 1812 it says:

 

"Routers SHOULD use the newly defined
Code 13 (Communication Administratively Prohibited) if they
administratively filter packets.

Routers MAY have a configuration option that causes Code 13
(Communication Administratively Prohibited) messages not to be
generated. When this option is enabled, no ICMP error message is
sent in response to a packet that is dropped because its forwarding
is administratively prohibited."

 

Does anyone know if Cisco implemented this silent DROP functionality specifically for Type 3 Code 13?

 

Cheers,

pfj

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents