[nsp] AS5300 loosing memory
Niels Bakker
niels=cisco-nsp at bakker.net
Sat Aug 23 01:07:22 EDT 2003
* coldiso at houx.org (Jason Houx) [Fri 22 Aug 2003, 23:20 CEST]:
> We created an acl like this {see below} and applied it to every one of our
> AS5248's - our AS5350, AS5400, and AS5396 did not seem to have near the
[..]
> access-list 199 deny icmp any any
> access-list 199 permit ip any any
That's stupid. ICMP is an important part of the Internet Protocol, and
by blocking it you break a lot of things - Path MTU Discovery, to name
one - and make connection attempts to closed ports take ages to time out
rather than almost instantaneously, to name but two problems instigated
by your overzealous access-list.
-- Niels.
More information about the cisco-nsp
mailing list