[c-nsp] ICMP filtering for the ISP

James Worley james at tridentnet.net
Mon Jan 22 13:10:26 EST 2007



Hi there, hoping for some advise.  Anybody got any experience in
filtering ICMP within an ISP network?

We have a handfull of border routers that connect our AS to our transit
providers. I am thinking that it might be a good idea to apply some sort
of ICMP filtering on these boxes. The idea being that as an ISP our
customer our going to want to run things like PING and Traceroute. I am
thinking of putting the following ACLs in place inbound:


    10 permit icmp any any echo
    14 permit icmp any any source-quench
    20 permit icmp any any echo-reply
    24 permit icmp any any 13 0
    30 permit icmp any any unreachable
    40 permit icmp any any packet-too-big
    50 permit icmp any any ttl-exceeded
    60 deny icmp any any

Is there anything else we should be allowing inbound or problems with the
above ACL?

Thanks in advance.

Kindest Regards
James



More information about the cisco-nsp mailing list