[c-nsp] Opinions about ICMP Destination Unreachable
Dino Farinacci
dino at cisco.com
Thu Nov 27 12:19:08 EST 2008
Thanks all for your replies.
The Nexus 7000 defaults IPv4 ICMP Destination Unreachables to off but
Port Unreachables to on. But when any DU are configured on, we rate-
limit 1 per second per interface (where interface is the next-hop
interface to send the DU to the source of the invoking packet).
Dino
On Nov 27, 2008, at 4:16 AM, sthaug at nethelp.no wrote:
>>> I am just wondering how many people have ICMP Destination
>>> Unreachables
>>> disabled on their core routers. Could an CPE router, which may
>>> encapsulate
>>> data, be able to depend on ICMP Unreachables to be sent to it?
>>>
>>> I know there are many cases where router implementations default
>>> it to off
>>> (to not send ICMP DUs), but wondering who leaves it this way or
>>> turns them
>>> on? Of when it defaults to on, who explicitly turns them off.
>>
>> Most of people who disable ICMP DU just don't understand what ICMP DU
>> is for. Need I mention that PMTUD relies on ICMP type 3/code 4...
>> In addition, it looks like that "no ip unreach" interface command
>> disables "too big" message as well, breaking PMTUD.
>> I prefer to enable ICMP DU on any interfaces where fragmentation
>> may occur.
>
> There is also a middle ground here - leave ICMP Destination
> Unreachable
> on but rate limit the replies to a suitably low value. This means that
> you will *probably* get a reply, but it's certainly not guaranteed.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list