ā08-04-2014 06:50 AM
Hi everyone,
I am a system engineer from China.
I just want to ask some IOS XR questions as the following, hope someone can help me.
permit icmp any any unreachable
!
class-map match-all ICMP
match access-group name ICMP
!
!
policy-map ICMP
class ICMP
drop
!
control-plane
service-policy output ICMP
In IOS XR is there have some commands can accomplish same function?
Solved! Go to Solution.
ā08-04-2014 10:09 AM
Hi Duhele,
you can go multiple ways about this, few options:
you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.
Another option is to disable the icmp unreach generation on an interface
the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.
regards
xander
ā08-04-2014 10:09 AM
Hi Duhele,
you can go multiple ways about this, few options:
you can set the punt policer for ttl-expired to zero in LPTS, that prevents the punts of these packets to the LC CPU that will originate the ICMP unreach for this purpose.
Another option is to disable the icmp unreach generation on an interface
the 3rd option is to use an ACL, outbound that blocks the icmp messages outbound. although many packets are "inject to wire" which bypasses all egress features, icmp is not done like that and is subject to acl and qos. Note however that in a class-map for QOS you can't match on ICMP, but you can do an ACL.
regards
xander
ā08-04-2014 06:09 PM
Hi Zander,
Thank you your reply.
As far as I known, the traceroute is base on TTL-exceed and Port unreachable.
Are the LPTS and interface level unreach can control the Port unreachable, I did not these command any more.
About 3rd option, the ACL can not block traffic which are original by router it self in IOS.
Could IOS XR can block traffice which are original by router it self?
ā08-06-2014 06:05 AM
For more information on LPTS check out here:
https://supportforums.cisco.com/document/93456/asr9000xr-local-packet-transport-services-lpts-copp
As for being able to block self originating packets, yes with regards to ICMP, you can. As mentioned, there are some other protocols that are directly injected to the wire like BFD for example. But ICMP can be matched/blocked via ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide