RE: [nsp] icmp blocking

From: Shi, Ning (ning.shi@bellnexxia.com)
Date: Thu Mar 28 2002 - 14:12:42 EST


According to Cisco, there's service impact if the rate-limit is enabled.
"The performance impact of CAR is dependent on the number of CAR rules
applied. The performance impact is also greated on engine 1 linecards, then
engine 0 linecards"

So I worry about if this rate-limit is feasible. Yes, there's service impact
as well if I totally block the ICMP. So anybody has some experience to share
for the NSP/ISP network?

Thanks,
-ns

-----Original Message-----
From: Gert Doering [mailto:gert@greenie.muc.de]
Sent: 28 March 2002 12:12 PM
To: Shi, Ning; 'Rob Thomas'; Cisco List
Subject: Re: [nsp] icmp blocking

Hi,

On Thu, Mar 28, 2002 at 12:02:43PM -0500, Shi, Ning wrote:
> I guess this is OK for enterprise network. Any good idea for ISP?

Permit ICMP (with rate-limiting). Really.

It sucks so much if you can't do traceroute/ping to figure out why your
customers can't reach some web server hosted at some other ISP because
they have broken network diagnostics on purpose (read: deny ICMP).

gert

-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert@greenie.muc.de
fax: +49-89-35655025
gert.doering@physik.tu-muenchen.de



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT