Anonymous (not verified) Mon, 06/24/2002 - 14:38
User Badges:

Creat an access-list to block out icmp packets

( echo & other coresponding messages)on input interfaces to your network..



That should stop the ping storms.



what you might want to consider blocking are


echo Echo (ping)


echo-reply Echo reply


host-unreachable Host unreachable


administratively-prohibited

Administratively prohibited


net-unreachable

Net unreachable


unreachable

All unreachables


Frederic Vanderbecq Tue, 06/25/2002 - 00:50
User Badges:
  • Cisco Employee,

Create an IP extended access-list to block ICMP packets. Only allow pings from well-known addresses from your network.

yusuff Tue, 06/25/2002 - 03:41
User Badges:
  • Cisco Employee,

creating ACL and blocking icmp will solve the issue, but also block legitimate icmp pings, which you might want to allow from random sources.


Best way to approach to control EXCESSIVE icmp flood is using Committed Access Rate (CAR). CAR allows you to enforce a bandwidth policy against network traffic that matches an access list.


URLs for CAR;

http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html#first

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/qos_c/qcprt1/qcdcar.htm


HTH

R/Yusuf

Actions

This Discussion