Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
1
Helpful
2
Replies

Preventing ICMP Unreachable on ACL deny

mmelbourne
Level 5
Level 5

‎05-23-2023 02:02 AM

By default, IOS-XR will send an ICMP unreachable message when a packet hits an ACL deny entry. Is there any way to disable this apart from the per-interface ("ipv4 unreachables disable") which has the potential to also break PMTUD.

The issue is a peer on an IXP is leaking traffic sourced with RFC1918 addresses, which is (rightly) being denied by the ACL, but the host unreachable message is being sent back to hosts within our network where that address is also used.

Cheers,
Matt

Labels:
2 Replies 2

Flavio Miranda
VIP
VIP

‎05-23-2023 04:19 AM

Hi

  Initially I though you could block the response which is ICMP code 3 unrecheable. But, there is a discussion here in the forum that offer a more elegant solution. You may like this

https://community.cisco.com/t5/xr-os-and-platforms/block-traceroute-through-ios-xr/td-p/2536584

 

0 Helpful

MHM Cisco World
VIP
VIP

‎05-23-2023 05:33 AM

25885-pmtud-ipfrag-09.png

the PMTUD use ICMP unreachable, 
so we can not disable ICMP unreachable, what I think is using CoPP to prevent CPU from send unreachable ICMP. 
OR 
we can use ACL in to deny ICMP code 3 for specific host and permit all other ICMP unreachable.
did you try ACL ? 

0 Helpful
Customers Also Viewed These Support Documents