[c-nsp] ICMP filtering for the ISP
James Worley
james at tridentnet.net
Mon Jan 22 13:10:26 EST 2007
Hi there, hoping for some advise. Anybody got any experience in
filtering ICMP within an ISP network?
We have a handfull of border routers that connect our AS to our transit
providers. I am thinking that it might be a good idea to apply some sort
of ICMP filtering on these boxes. The idea being that as an ISP our
customer our going to want to run things like PING and Traceroute. I am
thinking of putting the following ACLs in place inbound:
10 permit icmp any any echo
14 permit icmp any any source-quench
20 permit icmp any any echo-reply
24 permit icmp any any 13 0
30 permit icmp any any unreachable
40 permit icmp any any packet-too-big
50 permit icmp any any ttl-exceeded
60 deny icmp any any
Is there anything else we should be allowing inbound or problems with the
above ACL?
Thanks in advance.
Kindest Regards
James
More information about the cisco-nsp
mailing list