Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NSP
disable or rate-limit icmp-unreachables IOS-XR
cnsp at marenda
Jan 20, 2021, 1:24 AM
Post #1 of 1 (297 views)
Permalink
Hi,

when looking at amsix peering template, I found that generating of icmp
unreachables shall be disabled.

Is that a good idea? Some say it breaks PMTU
(so I am wondering why this was also present in a pppoe virtual-template
just seen on the list here).

Also, several secure-your-network checklists insist on setting it on at
least all external interfaces.

Or rate-limit

RP/0/RSP0/CPU0:ASR9901(config)#icmp ipv4 rate-limit unreachable ?
<1-4294967295> One ICMP unreachable message in x milliseconds(default is
500ms)
DF Fragmentation needed and DF set (code4)
disable Disable rate limit of ICMP messages
RP/0/RSP0/CPU0:ASR9901(config)#

Is this "per chassis" so it will send maximum 2 icmp unreachable messages
per second ?

What is a "good" value to keep things like PMTU working but also the device
happy ? 10ms ?

Thank you for your help,

J?rgen.


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal