05-23-2023 02:02 AM
By default, IOS-XR will send an ICMP unreachable message when a packet hits an ACL deny entry. Is there any way to disable this apart from the per-interface ("ipv4 unreachables disable") which has the potential to also break PMTUD.
The issue is a peer on an IXP is leaking traffic sourced with RFC1918 addresses, which is (rightly) being denied by the ACL, but the host unreachable message is being sent back to hosts within our network where that address is also used.
Cheers,
Matt
05-23-2023 04:19 AM
Hi
Initially I though you could block the response which is ICMP code 3 unrecheable. But, there is a discussion here in the forum that offer a more elegant solution. You may like this
https://community.cisco.com/t5/xr-os-and-platforms/block-traceroute-through-ios-xr/td-p/2536584
05-23-2023 05:33 AM
the PMTUD use ICMP unreachable,
so we can not disable ICMP unreachable, what I think is using CoPP to prevent CPU from send unreachable ICMP.
OR
we can use ACL in to deny ICMP code 3 for specific host and permit all other ICMP unreachable.
did you try ACL ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide